Primary

Context

TOTOLINK N150RT Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the TOTOLINK N150RT router, specifically in the firmware version 3.4.0-B20190525. This vulnerability allows remote attackers to execute arbitrary commands on the device by manipulating the 'localPin' parameter in a POST request to '/boafrm/formWsc'.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/boafrm/formWsc' with a crafted 'localPin' parameter. This can be done using a tool like Burp Suite. Once the request is sent, the injected command will be executed on the router's operating system.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.6

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

6.2

remediation

0.0

relevance

0.0

threat

6.6

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TOTOLINK N150RT Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

TOTOLINK N150RT

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating