CVE-2025-4733 – A critical buffer overflow vulnerability in TOT... (How to Fix)

Q: What is the severity of CVE-2025-4733?

CVE-2025-4733 has a CVSS score of 8.8 (HIGH). A critical buffer overflow vulnerability in TOTOLINK A3002R and A3002RU routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the /boafrm/formIpQoS endpoint. This affects devices running firmware version 3.0.0-B20230809.1615. Attackers can exploit this without authentication to potentially take full control of affected routers.

📋 TL;DR

A critical buffer overflow vulnerability in TOTOLINK A3002R and A3002RU routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the /boafrm/formIpQoS endpoint. This affects devices running firmware version 3.0.0-B20230809.1615. Attackers can exploit this without authentication to potentially take full control of affected routers.

💻 Affected Systems

Products:

TOTOLINK A3002R
TOTOLINK A3002RU

Versions: 3.0.0-B20230809.1615

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default firmware configuration. No special configuration is required for exploitation.

📦 What is this software?

A3002r Firmware by Totolink

View all CVEs affecting A3002r Firmware →

A3002ru Firmware by Totolink

View all CVEs affecting A3002ru Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, creation of persistent backdoors, lateral movement into internal networks, and botnet recruitment.

🟠

Likely Case

Remote code execution allowing attackers to modify router configurations, intercept network traffic, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering, though internal network exposure remains possible.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices could still be exploited by attackers who have gained initial network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed on GitHub, making weaponization straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware for your model. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Block External Access to Router Admin

linux

Prevent external exploitation by blocking WAN access to router administration interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off remote administration features in router settings

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict network segmentation
Implement network monitoring for suspicious HTTP POST requests to /boafrm/formIpQoS

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Upgrade section

Check Version:

curl -s http://router-ip/boafrm/formSysCmd | grep -i version

Verify Fix Applied:

Verify firmware version has changed from 3.0.0-B20230809.1615 to a newer version

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /boafrm/formIpQoS with unusually long mac parameter values
Router crash or reboot logs

Network Indicators:

HTTP traffic to router IP on port 80/443 containing /boafrm/formIpQoS in URI
Unusual outbound connections from router after exploitation

SIEM Query:

source="router_logs" AND uri="/boafrm/formIpQoS" AND method="POST" AND (bytes_out>1000 OR status_code=500)

📊 Metadata

CVE ID: CVE-2025-4733

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.43% exploit probability (62th percentile)

Published: May 16, 2025

Last Updated: June 20, 2025

🔗 References

https://github.com/CH13hh/tmp_store_cc/blob/main/tt/ta/7.md Broken Link
https://vuldb.com/?ctiid.309035 Permissions Required,VDB Entry
https://vuldb.com/?id.309035 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.570703 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4733, you might also want to check these: