CVE-2025-6916

A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
T6_firmware	Totolink	v4.1.5cu.748_b20211015 (including)	v4.1.5cu.748_b20211015 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20T6%20Vuln.md
https://vuldb.com/?ctiid.314409
https://vuldb.com/?id.314409
https://vuldb.com/?submit.605101
https://www.totolink.net/
https://github.com/c0nyy/IoT_vuln/blob/main/TOTOLINK%20T6%20Vuln.md

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-6916
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References