CVE-2026-15271
Deferred Deferred - Pending Action

Privilege Escalation in TOTOLINK Network Devices

Vulnerability report for CVE-2026-15271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: VulDB

Description

A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
totolink a3000ru *
totolink a3100r *
totolink a950rg *
totolink ac1200t10 *
totolink cp450 *
totolink cs185r_t10 *
totolink ex200 to 20260906 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects several TOTOLINK devices and involves an unknown functionality within the /etc/boa/boa.conf file of the Web Interface component. The issue allows for a least privilege violation, meaning an attacker could gain higher privileges than intended.

The attack can be initiated remotely but is considered difficult to exploit due to its high complexity.

Impact Analysis

Exploitation of this vulnerability can lead to a compromise of confidentiality, integrity, and availability of the affected device, as indicated by the CVSS scores.

  • An attacker could gain unauthorized access or elevated privileges on the device.
  • This could result in unauthorized control over the device's web interface.
  • Potential disruption or manipulation of device functions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart