CVE-2025-55895
Published: 15 December 2025
Summary
CVE-2025-55895 is a critical-severity Improper Access Control (CWE-284) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-55895 is an Incorrect Access Control vulnerability (CWE-284) affecting specific TOTOLINK router models. The impacted products include the A3300R running firmware version V17.0.0cu.557_B20221024 and the N200RE running firmware versions V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519. The flaw enables attackers to send payloads directly to the web interface without requiring authentication.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable remotely over the network with low complexity, no privileges, and no user interaction required. Unauthenticated attackers can leverage this to achieve high impacts on confidentiality and integrity, such as unauthorized data access or modification, while availability remains unaffected.
Mitigation guidance is available in the referenced advisory document at https://github.com/l0tk3/CVES/blob/main/CVE-2025-55895.pdf and on the vendor's website at https://www.totolink.net/. Security practitioners should consult these sources for patching instructions or workarounds specific to the affected firmware versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-203411
Vulnerability details
TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The incorrect access control vulnerability in the router's web interface allows remote unauthenticated attackers to send payloads, enabling exploitation of a public-facing application (T1190) and exploitation of remote services (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Explicitly identifies and restricts user actions performable without identification or authentication, directly preventing unauthenticated payload submission to the vulnerable web interface.
Enforces approved authorizations for logical access to system resources, mitigating the incorrect access control allowing remote unauthenticated exploitation.
Applies least privilege to limit access to only necessary functions, reducing the scope of damage from unauthenticated interface access.