Cyber Resilience

CVE-2025-55895

CriticalPublic PoC

Published: 15 December 2025

Published
15 December 2025
Modified
17 December 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0009 26.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55895 is a critical-severity Improper Access Control (CWE-284) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-55895 is an Incorrect Access Control vulnerability (CWE-284) affecting specific TOTOLINK router models. The impacted products include the A3300R running firmware version V17.0.0cu.557_B20221024 and the N200RE running firmware versions V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519. The flaw enables attackers to send payloads directly to the web interface without requiring authentication.

The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. Unauthenticated attackers can leverage this to achieve high impacts on confidentiality and integrity, such as unauthorized data access or modification, while availability remains unaffected.

Mitigation guidance is available in the referenced advisory document at https://github.com/l0tk3/CVES/blob/main/CVE-2025-55895.pdf and on the vendor's website at https://www.totolink.net/. Security practitioners should consult these sources for patching instructions or workarounds specific to the affected firmware versions.

EU & UK References

Vulnerability details

TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The incorrect access control vulnerability in the router's web interface allows remote unauthenticated attackers to send payloads, enabling exploitation of a public-facing application (T1190) and exploitation of remote services (T1210).

CVEs Like This One

CVE-2025-12240Same product: Totolink A3300R
CVE-2025-12259Same product: Totolink A3300R
CVE-2025-12239Same product: Totolink A3300R
CVE-2025-12241Same product: Totolink A3300R
CVE-2025-12260Same product: Totolink A3300R
CVE-2025-12258Same product: Totolink A3300R
CVE-2026-31177Same product: Totolink A3300R
CVE-2026-5103Same product: Totolink A3300R
CVE-2026-5178Same product: Totolink A3300R
CVE-2026-31181Same product: Totolink A3300R

Affected Assets

totolink
a3300r firmware
17.0.0cu.557_b20221024
totolink
n200re firmware
9.3.5u.6437_b20230519

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly identifies and restricts user actions performable without identification or authentication, directly preventing unauthenticated payload submission to the vulnerable web interface.

prevent

Enforces approved authorizations for logical access to system resources, mitigating the incorrect access control allowing remote unauthenticated exploitation.

prevent

Applies least privilege to limit access to only necessary functions, reducing the scope of damage from unauthenticated interface access.

References