{"api_version":"1","generated_at":"2026-05-30T13:52:46+00:00","cve":"CVE-2025-6401","urls":{"html":"https://cve.report/CVE-2025-6401","api":"https://cve.report/api/cve/CVE-2025-6401.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-6401","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-6401"},"summary":{"title":"TOTOLINK N300RH HTTP POST Message formFilter denial of service","description":"A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used.","state":"PUBLISHED","assigner":"VulDB","published_at":"2025-06-21 07:15:23","updated_at":"2026-04-29 01:00:01"},"problem_types":["CWE-404","CWE-404 Denial of Service"],"metrics":[{"version":"4.0","source":"cna@vuldb.com","type":"Secondary","score":"2","severity":"LOW","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2,"baseSeverity":"LOW","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.1","severity":"MEDIUM","vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","data":{"baseScore":5.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"version":"3.1","source":"cna@vuldb.com","type":"Secondary","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":3.5,"baseSeverity":"LOW","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R","data":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R","version":"3.1"}},{"version":"3.0","source":"CNA","type":"DECLARED","score":"3.5","severity":"LOW","vector":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R","data":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R","version":"3.0"}},{"version":"2.0","source":"cna@vuldb.com","type":"Secondary","score":"2.3","severity":"","vector":"AV:A/AC:M/Au:S/C:N/I:N/A:P","data":{"version":"2.0","vectorString":"AV:A/AC:M/Au:S/C:N/I:N/A:P","baseScore":2.3,"accessVector":"ADJACENT_NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"}},{"version":"2.0","source":"CNA","type":"DECLARED","score":"2.3","severity":"","vector":"AV:A/AC:M/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR","data":{"baseScore":2.3,"vectorString":"AV:A/AC:M/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR","version":"2.0"}}],"references":[{"url":"https://github.com/d2pq/cve/blob/main/616/21.md","name":"https://github.com/d2pq/cve/blob/main/616/21.md","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/d2pq/cve/blob/main/616/21.md#poc","name":"https://github.com/d2pq/cve/blob/main/616/21.md#poc","refsource":"cna@vuldb.com","tags":["Exploit","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/?id.313395","name":"https://vuldb.com/?id.313395","refsource":"cna@vuldb.com","tags":["Third Party Advisory","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/?ctiid.313395","name":"https://vuldb.com/?ctiid.313395","refsource":"cna@vuldb.com","tags":["Permissions Required","Third Party Advisory","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.totolink.net/","name":"https://www.totolink.net/","refsource":"cna@vuldb.com","tags":["Product"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://vuldb.com/?submit.597688","name":"https://vuldb.com/?submit.597688","refsource":"cna@vuldb.com","tags":["Third Party Advisory","VDB Entry"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-6401","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6401","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"TOTOLINK","product":"N300RH","version":"affected 6.1c.1390_B20191101","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-06-20T00:00:00.000Z","lang":"en","value":"Advisory disclosed"},{"source":"CNA","time":"2025-06-20T02:00:00.000Z","lang":"en","value":"VulDB entry created"},{"source":"CNA","time":"2025-06-20T12:43:55.000Z","lang":"en","value":"VulDB entry last update"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"yuhongxiang (VulDB User)","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"6401","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"totolink","cpe5":"n300rh","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"6401","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"totolink","cpe5":"n300rh_firmware","cpe6":"6.1c.1390_b20191101","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-6401","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-06-23T16:09:27.308682Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-06-23T19:27:48.226Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/d2pq/cve/blob/main/616/21.md"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"modules":["HTTP POST Message Handler"],"product":"N300RH","vendor":"TOTOLINK","versions":[{"status":"affected","version":"6.1c.1390_B20191101"}]}],"credits":[{"lang":"en","type":"reporter","value":"yuhongxiang (VulDB User)"}],"descriptions":[{"lang":"en","value":"A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used."},{"lang":"de","value":"Es wurde eine Schwachstelle in TOTOLINK N300RH 6.1c.1390_B20191101 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft eine unbekannte Funktion der Datei /boafrm/formFilter der Komponente HTTP POST Message Handler. Mittels dem Manipulieren des Arguments url mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung."}],"metrics":[{"cvssV4_0":{"baseScore":5.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0"}},{"cvssV3_1":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R","version":"3.1"}},{"cvssV3_0":{"baseScore":3.5,"baseSeverity":"LOW","vectorString":"CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R","version":"3.0"}},{"cvssV2_0":{"baseScore":2.3,"vectorString":"AV:A/AC:M/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR","version":"2.0"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-404","description":"Denial of Service","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-06-21T06:31:08.227Z","orgId":"1af790b2-7ee1-4545-860a-a788eba489b5","shortName":"VulDB"},"references":[{"name":"VDB-313395 | TOTOLINK N300RH HTTP POST Message formFilter denial of service","tags":["vdb-entry","technical-description"],"url":"https://vuldb.com/?id.313395"},{"name":"VDB-313395 | CTI Indicators (IOB, IOC, IOA)","tags":["signature","permissions-required"],"url":"https://vuldb.com/?ctiid.313395"},{"name":"Submit #597688 | TOTOLINK  N300RH_V4 V6.1c.1390_B20191101 Buffer Overflow","tags":["third-party-advisory"],"url":"https://vuldb.com/?submit.597688"},{"tags":["related"],"url":"https://github.com/d2pq/cve/blob/main/616/21.md"},{"tags":["exploit"],"url":"https://github.com/d2pq/cve/blob/main/616/21.md#poc"},{"tags":["product"],"url":"https://www.totolink.net/"}],"timeline":[{"lang":"en","time":"2025-06-20T00:00:00.000Z","value":"Advisory disclosed"},{"lang":"en","time":"2025-06-20T02:00:00.000Z","value":"VulDB entry created"},{"lang":"en","time":"2025-06-20T12:43:55.000Z","value":"VulDB entry last update"}],"title":"TOTOLINK N300RH HTTP POST Message formFilter denial of service"}},"cveMetadata":{"assignerOrgId":"1af790b2-7ee1-4545-860a-a788eba489b5","assignerShortName":"VulDB","cveId":"CVE-2025-6401","datePublished":"2025-06-21T06:31:08.227Z","dateReserved":"2025-06-20T10:38:48.055Z","dateUpdated":"2025-06-23T19:27:48.226Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2025-06-21 07:15:23","lastModifiedDate":"2026-04-29 01:00:01","problem_types":["CWE-404","CWE-404 Denial of Service"],"metrics":{"cvssMetricV40":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2,"baseSeverity":"LOW","attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L","baseScore":3.5,"baseSeverity":"LOW","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.1,"impactScore":1.4}],"cvssMetricV2":[{"source":"cna@vuldb.com","type":"Secondary","cvssData":{"version":"2.0","vectorString":"AV:A/AC:M/Au:S/C:N/I:N/A:P","baseScore":2.3,"accessVector":"ADJACENT_NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL"},"baseSeverity":"LOW","exploitabilityScore":4.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:totolink:n300rh_firmware:6.1c.1390_b20191101:*:*:*:*:*:*:*","matchCriteriaId":"7FF23FE8-AE3C-4266-B0B8-1385076EDE11"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:h:totolink:n300rh:-:*:*:*:*:*:*:*","matchCriteriaId":"3CB91509-BFD9-49C5-938E-374591AB5B66"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"6401","Ordinal":"1","Title":"TOTOLINK N300RH HTTP POST Message formFilter denial of service","CVE":"CVE-2025-6401","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"6401","Ordinal":"1","NoteData":"A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been classified as problematic. This affects an unknown part of the file /boafrm/formFilter of the component HTTP POST Message Handler. The manipulation of the argument url leads to denial of service. The exploit has been disclosed to the public and may be used.","Type":"Description","Title":"TOTOLINK N300RH HTTP POST Message formFilter denial of service"}]}}}