Primary

Context

TOTOLINK A3002R Command Injection Vulnerability in bupload.html Component

Vulnerability

A command injection vulnerability has been identified in the TOTOLINK A3002R router, specifically in version 4.0.0-B20230531.1404. The issue arises in the bupload.html component, which is used for uploading binary files during firmware updates. This vulnerability allows attackers to execute arbitrary commands by manipulating the request's field values.

Impact

Exploitation of this vulnerability allows for OS command injection, where injected commands are executed on the device's operating system.

Reproduction

To reproduce this vulnerability, upload a file through the web interface that accepts firmware images. After selecting the file, use Burp Suite to intercept and modify the request. Inject a command into the 'filename' parameter, separating commands with semicolons. Once the modified request is sent, the injected command will be executed on the device.

Added: Aug 18, 2025, 8:18 PM

Updated: Aug 18, 2025, 8:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

7.4

remediation

0.0

relevance

0.3

threat

6.5

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

7.4

remediation

0.0

relevance

0.3

threat

6.5

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TOTOLINK A3002R Command Injection Vulnerability in bupload.html Component

Vulnerability

Impact

Reproduction

Affected Products

TOTOLINK A3002R

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating