CVE-2025-6916 HIGH

CVE-2025-6916: TOTOLINK T6 formLoginAuth.htm Form_Login missing authentication

Vendor Totolink
Product T6
Weakness CWE-306 · Missing auth
Published June 30, 2025
Last update June 30, 2025

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used.

Key dates

02Disclosure timeline

June 30, 2025 CVE published
June 30, 2025 Record updated