A critical buffer overflow vulnerability (CVE-2025-3991) has been identified in TOTOLINK N150RT routers running firmware version 3.4.0-B20190525. The flaw, which affects the /boafrm/formWdsEncrypt file, allows remote attackers to execute arbitrary code via manipulation of the submit-url parameter. With a CVSS score of 8.8 (High), this vulnerability poses significant risks to unpatched devices, especially since exploit details are already public1.
Technical Overview
The vulnerability stems from insufficient input validation in the submit-url parameter processing within the router’s web interface. Attackers can trigger a stack-based buffer overflow (CWE-121) by sending crafted HTTP requests, potentially leading to remote code execution (RCE) without authentication2. This aligns with historical weaknesses in TOTOLINK firmware, including similar flaws like CVE-2025-28033 in other models such as the A800R and A810R series3.
Public disclosures indicate active exploitation attempts, though no official patches are available as of April 28, 2025. The vulnerability’s remote attack vector (AV:N) and low attack complexity (AC:L) make it particularly dangerous for exposed devices4.
Affected Systems and Mitigation
The following TOTOLINK models and firmware versions are confirmed vulnerable:
| Model | Firmware Version | CVE |
|---|---|---|
| N150RT | 3.4.0-B20190525 | CVE-2025-3991 |
| A800R | V4.1.2cu.5137_B20200730 | CVE-2025-28033 |
Recommended actions:
- Disable remote administration features on affected routers.
- Implement network segmentation to restrict access to management interfaces.
- Monitor for anomalous traffic patterns, particularly HTTP requests targeting
/boafrm/formWdsEncrypt.
Exploitation Context
The public disclosure includes references to proof-of-concept (PoC) exploits, though specific code has not been released on mainstream platforms like GitHub5. Historical data suggests that TOTOLINK routers are frequently targeted due to their widespread use in SOHO environments and delayed patch cycles. Related vulnerabilities (CVE-2025-3988 to CVE-2025-3990) in the N150RT firmware further compound the risk6.
Conclusion
CVE-2025-3991 represents a high-risk vulnerability requiring immediate attention from network administrators. Organizations using TOTOLINK routers should apply workarounds while awaiting vendor patches. Continuous monitoring of threat intelligence sources like Vulmon and NVD is advised for updates7.
References
- “CVE-2025-3991 Detail,” National Vulnerability Database, 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-3991.
- “TOTOLINK Router Vulnerabilities,” SecAlerts, 2025. [Online]. Available: https://secalerts.co/vulnerability/CVE-2025-3991.
- “CVE-2025-28033 Analysis,” Vulmon, 2025. [Online]. Available: https://cvefeed.io/vuln/detail/CVE-2025-28033.
- “CVSS v3.1 Calculator,” FIRST, 2025. [Online]. Available: https://www.first.org/cvss/calculator/3.1.
- “Exploit Development Notes,” Notion, 2025. [Online]. Available: https://locrian-lightning-dc7.notion.site/….
- “Tenable Advisory,” Tenable, 2025. [Online]. Available: https://www.tenable.com/cve/CVE-2025-3989.
- “Vulners Feed,” Vulners, 2025. [Online]. Available: https://vulners.com/cve/CVE-2025-3990.
