Cyber Posture

CVE-2025-55895

CriticalPublic PoC

Published: 15 December 2025

Published
15 December 2025
Modified
17 December 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0016 36.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote).

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Explicitly identifies and restricts user actions performable without identification or authentication, directly preventing unauthenticated payload submission to the vulnerable web interface.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access to system resources, mitigating the incorrect access control allowing remote unauthenticated exploitation.

AC-6 Least Privilege partial match
prevent

Applies least privilege to limit access to only necessary functions, reducing the scope of damage from unauthenticated interface access.

Security SummaryAI

CVE-2025-55895 is an Incorrect Access Control vulnerability (CWE-284) affecting specific TOTOLINK router models. The impacted products include the A3300R running firmware version V17.0.0cu.557_B20221024 and the N200RE running firmware versions V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519. The flaw enables attackers to send payloads directly to the web interface without requiring authentication.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. Unauthenticated attackers can leverage this to achieve high impacts on confidentiality and integrity, such as unauthorized data access or modification, while availability remains unaffected.

Mitigation guidance is available in the referenced advisory document at https://github.com/l0tk3/CVES/blob/main/CVE-2025-55895.pdf and on the vendor's website at https://www.totolink.net/. Security practitioners should consult these sources for patching instructions or workarounds specific to the affected firmware versions.

Details

CWE(s)
CWE-284

Affected Products

totolink
a3300r firmware
17.0.0cu.557_b20221024
totolink
n200re firmware
9.3.5u.6437_b20230519

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The incorrect access control vulnerability in the router's web interface allows remote unauthenticated attackers to send payloads, enabling exploitation of a public-facing application (T1190) and exploitation of remote services (T1210).

References