CVE-2025-6916

HIGH

Totolink T6 Firmware - Missing Authentication

Title source: rule

Description

A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used.

Exploits (1)

nomisec WORKING POC

by c0nyy · poc

https://github.com/c0nyy/IoT_vuln

View Code ZIP pw:eip

References (5)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.314409

[Permissions Required, Third Party Advisory, VDB Entry] https://vuldb.com/?ctiid.314409

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.605101

[Exploit, Third Party Advisory] https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20T6%20Vuln.md

[Product] https://www.totolink.net/

Scores

CVSS v3 8.8

EPSS 0.0022

EPSS Percentile 43.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-306

Status published

Products (1)

totolink/t6_firmware v4.1.5cu.748_b20211015

Published Jun 30, 2025

Tracked Since Feb 18, 2026