CVE-2026-15271
Deferred
Deferred - Pending Action
Privilege Escalation in TOTOLINK Network Devices
Vulnerability report for CVE-2026-15271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-10
Assigner: VulDB
Description
Description
A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185R_T10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege violation. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a3000ru | * |
| totolink | a3100r | * |
| totolink | a950rg | * |
| totolink | ac1200t10 | * |
| totolink | cp450 | * |
| totolink | cs185r_t10 | * |
| totolink | ex200 | to 20260906 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-272 | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |