CVE-2018-13315

CRITICAL EXPLOITED

TOTOLINK A3002RU 1.0.8 - Unauthenticated Password Change via formPasswordSetup

Title source: llm

Exploitation Summary

CVE-2018-13315 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://blog.securityevaluators.com/new-vulnerabilities-in-totolink-a3002ru-d6f42a081154

Scores

CVSS v3 9.8

EPSS 0.0074

EPSS Percentile 73.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-02-05

CWE

CWE-20

Status published

Products (1)

totolink/a3002ru_firmware 1.0.8

Published Nov 26, 2018

Tracked Since Feb 18, 2026