{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-4729","assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","state":"PUBLISHED","assignerShortName":"VulDB","dateReserved":"2025-05-15T07:23:06.748Z","datePublished":"2025-05-15T23:31:06.917Z","dateUpdated":"2025-05-16T13:18:50.742Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB","dateUpdated":"2025-05-15T23:31:06.917Z"},"title":"TOTOLINK A3002R/A3002RU HTTP POST Request formMapDelDevice command injection","problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-77","lang":"en","description":"Command Injection"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-74","lang":"en","description":"Injection"}]}],"affected":[{"vendor":"TOTOLINK","product":"A3002R","versions":[{"version":"3.0.0-B20230809.1615","status":"affected"}],"modules":["HTTP POST Request Handler"]},{"vendor":"TOTOLINK","product":"A3002RU","versions":[{"version":"3.0.0-B20230809.1615","status":"affected"}],"modules":["HTTP POST Request Handler"]}],"descriptions":[{"lang":"en","value":"A vulnerability was found in TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formMapDelDevice of the component HTTP POST Request Handler. The manipulation of the argument macstr leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"In TOTOLINK A3002R and A3002RU 3.0.0-B20230809.1615 wurde eine kritische Schwachstelle ausgemacht. Das betrifft eine unbekannte Funktionalität der Datei /boafrm/formMapDelDevice der Komponente HTTP POST Request Handler. Durch Manipulieren des Arguments macstr mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"version":"4.0","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N","baseSeverity":"MEDIUM"}},{"cvssV3_1":{"version":"3.1","baseScore":6.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV3_0":{"version":"3.0","baseScore":6.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","baseSeverity":"MEDIUM"}},{"cvssV2_0":{"version":"2.0","baseScore":6.5,"vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P"}}],"timeline":[{"time":"2025-05-15T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"time":"2025-05-15T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"time":"2025-05-15T09:28:24.000Z","lang":"en","value":"VulDB entry last update"}],"credits":[{"lang":"en","value":"BabyShark (VulDB User)","type":"reporter"}],"references":[{"url":"https://vuldb.com/?id.309031","name":"VDB-309031 | TOTOLINK A3002R/A3002RU HTTP POST Request formMapDelDevice command injection","tags":["vdb-entry","technical-description"]},{"url":"https://vuldb.com/?ctiid.309031","name":"VDB-309031 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"]},{"url":"https://vuldb.com/?submit.570686","name":"Submit #570686 | TOTOLINK A3002RU V3/A3002R_V4 V3.0.0-B20230809.1615 Command execution","tags":["third-party-advisory"]},{"url":"https://github.com/CH13hh/tmp_store_cc/blob/main/tt/ta/2.md","tags":["broken-link","exploit"]},{"url":"https://www.totolink.net/","tags":["product"]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-16T13:18:45.411260Z","id":"CVE-2025-4729","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-16T13:18:50.742Z"}}]}}