Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-6164

CVE-2025-6164: Totolink A3002r Buffer Overflow Vulnerability

CVE-2025-6164 is a critical buffer overflow vulnerability in Totolink A3002r Firmware affecting the HTTP POST request handler. Attackers can exploit this remotely to compromise devices. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-6164 Overview

CVE-2025-6164 is a buffer overflow vulnerability in the TOTOLINK A3002R router running firmware version 4.0.0-B20230531.1404. The flaw resides in the /boafrm/formMultiAP endpoint handled by the HTTP POST Request Handler. Attackers manipulate the submit-url argument to trigger memory corruption [CWE-119]. The vulnerability is remotely exploitable and a public exploit has been disclosed.

Critical Impact

Remote attackers with low privileges can corrupt memory in the router's web service, potentially leading to arbitrary code execution and full device compromise.

Affected Products

  • TOTOLINK A3002R hardware device
  • TOTOLINK A3002R firmware version 4.0.0-B20230531.1404
  • Deployments exposing the device web interface to untrusted networks

Discovery Timeline

  • 2025-06-17 - CVE-2025-6164 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6164

Vulnerability Analysis

The vulnerability affects the embedded boa web server component that handles router configuration requests on the TOTOLINK A3002R. The /boafrm/formMultiAP handler processes HTTP POST data containing a submit-url parameter. The handler copies attacker-controlled input into a fixed-size stack or heap buffer without enforcing length checks. This results in a classic buffer overflow condition classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Authenticated attackers send a crafted HTTP POST request containing an oversized submit-url value. The overflow corrupts adjacent memory regions in the web server process. Depending on memory layout and protections, attackers can crash the service or hijack control flow to execute arbitrary code with the privileges of the web daemon, typically root on consumer routers.

Root Cause

The root cause is the absence of input length validation before copying the submit-url parameter into a fixed-size buffer. SOHO router firmware frequently lacks stack canaries, ASLR, and non-executable memory enforcement, which lowers the barrier to weaponizing such overflows.

Attack Vector

Exploitation occurs over the network against the device HTTP interface. The CVSS vector indicates network attack with low privileges required and no user interaction. A public proof-of-concept is documented in the GitHub PoC Documentation and tracked by VulDB #312639.

No verified exploit code is reproduced here. Refer to the linked PoC references for technical reproduction details.

Detection Methods for CVE-2025-6164

Indicators of Compromise

  • HTTP POST requests targeting /boafrm/formMultiAP containing abnormally long submit-url parameter values.
  • Unexpected restarts or crashes of the boa web server process on the router.
  • Outbound connections initiated by the router to unfamiliar hosts following inbound HTTP traffic.
  • New or modified configuration entries that were not made by an administrator.

Detection Strategies

  • Inspect HTTP traffic to and from router management interfaces for oversized POST bodies targeting /boafrm/ endpoints.
  • Apply intrusion detection signatures that flag submit-url parameter lengths exceeding expected boundaries.
  • Correlate router log anomalies with network telemetry indicating exploitation attempts.

Monitoring Recommendations

  • Forward router syslog data into a centralized logging platform and alert on web service restarts.
  • Monitor for unauthenticated or low-privilege sessions issuing administrative requests to /boafrm/formMultiAP.
  • Track EPSS movement on CVE-2025-6164 to prioritize patching as exploitation likelihood evolves.

How to Mitigate CVE-2025-6164

Immediate Actions Required

  • Restrict access to the router web administration interface to trusted management VLANs only.
  • Disable remote (WAN-side) administration on all TOTOLINK A3002R devices.
  • Rotate administrative credentials, since the attack requires low-privilege authentication.
  • Inventory all TOTOLINK A3002R devices running firmware 4.0.0-B20230531.1404 across the environment.

Patch Information

At the time of NVD publication, no vendor fix was linked in the advisory. Consult the TOTOLINK Security Page for firmware updates addressing CVE-2025-6164 and apply them as soon as they are released.

Workarounds

  • Place affected routers behind a network segment that blocks untrusted HTTP access to the management interface.
  • Replace end-of-support TOTOLINK A3002R units with currently supported router hardware where firmware patches are unavailable.
  • Apply web application firewall rules upstream of the device to drop POST requests with oversized submit-url parameters to /boafrm/formMultiAP.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne