{"api_version":"1","generated_at":"2026-07-07T06:23:41+00:00","cve":"CVE-2025-6139","urls":{"html":"https://cve.report/CVE-2025-6139","api":"https://cve.report/api/cve/CVE-2025-6139.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-6139","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-6139"},"summary":{"title":"TOTOLINK T10 shadow.sample hard-coded password","description":"A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.","state":"PUBLISHED","assigner":"VulDB","published_at":"2025-06-16 21:15:24","updated_at":"2026-04-29 01:00:01"},"problem_types":["CWE-255","CWE-259","CWE-259 Use of Hard-coded Password","CWE-255 Credentials Management"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"1.1","severity":"LOW","vector":"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":1.1,"baseSeverity":"LOW","attackVector":"ADJACENT","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"2","severity":"LOW","vector":"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","data":{"baseScore":2,"baseSeverity":"LOW","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Secondary","score":"3.9","severity":"LOW","vector":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L","baseScore":3.9,"baseSeverity":"LOW","attackVector":"ADJACENT_NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"3.9","severity":"LOW","vector":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","data":{"baseScore":3.9,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"3.9","severity":"LOW","vector":"CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","data":{"baseScore":3.9,"baseSeverity":"LOW","vectorString":"CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"3.7","severity":"","vector":"AV:A/AC:H/Au:M/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:A/AC:H/Au:M/C:P/I:P/A:P","baseScore":3.7,"accessVector":"ADJACENT_NETWORK","accessComplexity":"HIGH","authentication":"MULTIPLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"3.7","severity":"","vector":"AV:A/AC:H/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR","data":{"baseScore":3.7,"vectorString":"AV:A/AC:H/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR","version":"2.0"}}],"references":[{"url":"https://candle-throne-f75.notion.site/TOTOLINK-T10-shadow-20ddf0aa118580f5a455cd5dbc521472","name":"https://candle-throne-f75.notion.site/TOTOLINK-T10-shadow-20ddf0aa118580f5a455cd5dbc521472","refsource":"cna@vuldb.com","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/?ctiid.312608","name":"https://vuldb.com/?ctiid.312608","refsource":"cna@vuldb.com","tags":["Permissions Required","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/?submit.592922","name":"https://vuldb.com/?submit.592922","refsource":"cna@vuldb.com","tags":["Third Party Advisory","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.totolink.net/","name":"https://www.totolink.net/","refsource":"cna@vuldb.com","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/?id.312608","name":"https://vuldb.com/?id.312608","refsource":"cna@vuldb.com","tags":["Third Party Advisory","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-6139","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6139","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"TOTOLINK","product":"T10","version":"affected 4.1.8cu.5207","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-06-15T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2025-06-15T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2025-06-15T12:57:21.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"ysnysnysn0121 (VulDB User)","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"6139","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"totolink","cpe5":"t10","cpe6":"2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"6139","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"totolink","cpe5":"t10_firmware","cpe6":"4.1.8cu.5207_b20210320","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-6139","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-06-17T18:16:18.278487Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-06-17T18:18:54.803Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"T10","vendor":"TOTOLINK","versions":[{"status":"affected","version":"4.1.8cu.5207"}]}],"credits":[{"lang":"en","type":"reporter","value":"ysnysnysn0121 (VulDB User)"}],"descriptions":[{"lang":"en","value":"A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"Eine problematische Schwachstelle wurde in TOTOLINK T10 4.1.8cu.5207 entdeckt. Betroffen davon ist ein unbekannter Prozess der Datei /etc/shadow.sample. Durch Beeinflussen mit unbekannten Daten kann eine use of hard-coded password-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei im lokalen Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"baseScore":2,"baseSeverity":"LOW","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"cvssV3_1":{"baseScore":3.9,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.1"}},{"cvssV3_0":{"baseScore":3.9,"baseSeverity":"LOW","vectorString":"CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R","version":"3.0"}},{"cvssV2_0":{"baseScore":3.7,"vectorString":"AV:A/AC:H/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-259","description":"Use of Hard-coded Password","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-255","description":"Credentials Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-06-16T21:00:17.742Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-312608 | TOTOLINK T10 shadow.sample hard-coded password","tags":["vdb-entry"],"url":"https://vuldb.com/?id.312608"},{"name":"VDB-312608 | CTI Indicators (IOB, IOC, TTP, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/?ctiid.312608"},{"name":"Submit #592922 | TOTOLINK T10 V2_Firmware V2_V4.1.8cu.5207 Hardcoded root password","tags":["third-party-advisory"],"url":"https://vuldb.com/?submit.592922"},{"tags":["exploit"],"url":"https://candle-throne-f75.notion.site/TOTOLINK-T10-shadow-20ddf0aa118580f5a455cd5dbc521472"},{"tags":["product"],"url":"https://www.totolink.net/"}],"timeline":[{"lang":"en","time":"2025-06-15T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2025-06-15T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2025-06-15T12:57:21.000Z","value":"VulDB entry last update"}],"title":"TOTOLINK T10 shadow.sample hard-coded password"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2025-6139","datePublished":"2025-06-16T21:00:17.742Z","dateReserved":"2025-06-15T10:52:12.754Z","dateUpdated":"2025-06-17T18:18:54.803Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2025-06-16 21:15:24","lastModifiedDate":"2026-04-29 01:00:01","problem_types":["CWE-255","CWE-259","CWE-259 Use of Hard-coded Password","CWE-255 Credentials Management"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":1.1,"baseSeverity":"LOW","attackVector":"ADJACENT","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L","baseScore":3.9,"baseSeverity":"LOW","attackVector":"ADJACENT_NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.5,"impactScore":3.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:A/AC:H/Au:M/C:P/I:P/A:P","baseScore":3.7,"accessVector":"ADJACENT_NETWORK","accessComplexity":"HIGH","authentication":"MULTIPLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"LOW","exploitabilityScore":2,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:totolink:t10_firmware:4.1.8cu.5207_b20210320:*:*:*:*:*:*:*","matchCriteriaId":"827828BD-015A-458C-8E00-37B2BF489F2D"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:totolink:t10:2.0:*:*:*:*:*:*:*","matchCriteriaId":"D751C3BC-20DC-4896-B334-EE3A00F600BF"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"6139","Ordinal":"1","Title":"TOTOLINK T10 shadow.sample hard-coded password","CVE":"CVE-2025-6139","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"6139","Ordinal":"1","NoteData":"A vulnerability, which was classified as problematic, has been found in TOTOLINK T10 4.1.8cu.5207. Affected by this issue is some unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.","Type":"Description","Title":"TOTOLINK T10 shadow.sample hard-coded password"}]}}}