TOTOLINK EX200 Web boa.conf least privilege violation
Summary
| CVE | CVE-2026-15271 |
|---|---|
| State | PUBLISHED |
| Assigner | VulDB |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-09 22:17:02 UTC |
| Updated | 2026-07-10 15:43:30 UTC |
| Description | A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. |
Risk And Classification
Primary CVSS: v4.0 7.7 HIGH from [email protected]
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.004070000 probability, percentile 0.327880000 (date 2026-07-12)
Problem Types: CWE-266 | CWE-272 | CWE-272 Least Privilege Violation | CWE-266 Incorrect Privilege Assignment
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.7 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 7.7 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R |
| 3.0 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R |
| 2.0 | [email protected] | Secondary | 7.1 | AV:N/AC:H/Au:S/C:C/I:C/A:C | |
| 2.0 | CNA | DECLARED | 7.1 | AV:N/AC:H/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TOTOLINK | A3000RU | affected 20260906 | Not specified |
| CNA | TOTOLINK | A3100R | affected 20260906 | Not specified |
| CNA | TOTOLINK | A950RG | affected 20260906 | Not specified |
| CNA | TOTOLINK | AC1200T10 | affected 20260906 | Not specified |
| CNA | TOTOLINK | CP450 | affected 20260906 | Not specified |
| CNA | TOTOLINK | CS185R T10 | affected 20260906 | Not specified |
| CNA | TOTOLINK | EX200 | affected 20260906 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| vuldb.com/cve/CVE-2026-15271 | [email protected] | vuldb.com | |
| vuldb.com/submit/852317 | [email protected] | vuldb.com | |
| vuldb.com/vuln/377214/cti | [email protected] | vuldb.com | |
| vuldb.com/submit/852323 | [email protected] | vuldb.com | |
| vuldb.com/submit/852316 | [email protected] | vuldb.com | |
| vuldb.com/submit/852321 | [email protected] | vuldb.com | |
| vuldb.com/submit/852320 | [email protected] | vuldb.com | |
| app.notion.com/p/A3000RU-V5-9c-5185-37a1f5ba989080d38bb6ca58b2a98c64 | [email protected] | app.notion.com | |
| www.totolink.net | [email protected] | www.totolink.net | |
| vuldb.com/vuln/377214 | [email protected] | vuldb.com | |
| vuldb.com/submit/852318 | [email protected] | vuldb.com | |
| vuldb.com/submit/852319 | [email protected] | vuldb.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: L-14 (VulDB User) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-07-09T00:00:00.000Z | Advisory disclosed |
| CNA | 2026-07-09T02:00:00.000Z | VulDB entry created |
| CNA | 2026-07-09T16:58:55.000Z | VulDB entry last update |
There are currently no legacy QID mappings associated with this CVE.