What is the CVSS score of CVE-2025-5902?

CVE-2025-5902 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.6%.

Which versions of T10 Firmware are affected by CVE-2025-5902?

A critical remote code execution vulnerability in TOTOLIK T10 routers (CVE-2025-5902) allows attackers to execute arbitrary commands without authentication via a buffer overflow in the firmware…

Is there a public PoC exploit available for CVE-2025-5902?

Yes, a public proof-of-concept exploit is available for CVE-2025-5902. Prioritise patching immediately. EPSS: 0.6%.

How to fix or mitigate CVE-2025-5902?

Within 24 hours: Identify all TOTOLINK T10 4.1.8cu.5207 devices in your network and isolate them from production/critical systems; contact TOTOLINK for patch timeline. Within 7 days: If devices cannot be removed, implement WAF rules blocking POST requests to /cgi-bin/cstecgi.cgi and restrict access to this component via network ACLs; disable remote management features if operationally feasible. Within 30 days: Replace affected devices with patched alternatives or verified secure routers; complete migration away from vulnerable firmware version.

T10 Firmware CVE-2025-5902

EUVD-2025-17589 HIGH

Buffer Overflow (CWE-119)

2025-06-09 cna@vuldb.com

RCE Buffer Overflow TP-Link T10 Firmware TOTOLINK

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17589

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

PoC Detected

Jun 16, 2025 - 14:32 vuln.today

Public exploit code

CVE Published

Jun 09, 2025 - 23:15 nvd

HIGH 8.8

DescriptionNVD

A vulnerability was found in TOTOLINK T10 4.1.8cu.5207 and classified as critical. This issue affects the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument slaveIpList leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Critical remote buffer overflow vulnerability in TOTOLINK T10 firmware version 4.1.8cu.5207 affecting the setUpgradeFW function in the POST request handler. An authenticated remote attacker can exploit improper input validation on the slaveIpList parameter to achieve complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability has public exploit code available and represents an actively exploitable threat.

Technical ContextAI

The vulnerability exists in the POST request handler component (/cgi-bin/cstecgi.cgi) of TOTOLINK T10 network equipment firmware. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), which encompasses classic buffer overflow conditions. The setUpgradeFW function fails to properly validate or sanitize the length of the 'slaveIpList' argument before copying it into a fixed-size buffer, allowing an attacker to write beyond buffer boundaries. This is a stack or heap-based buffer overflow that can corrupt adjacent memory structures, potentially enabling arbitrary code execution. The vulnerability is triggered through HTTP POST requests to the CGI handler, a common attack surface in embedded network devices.

RemediationAI

Immediate actions: (1) Apply firmware patches from TOTOLINK if available—check TOTOLINK security advisories and product support pages for T10 firmware updates newer than 4.1.8cu.5207; (2) If patches are unavailable, isolate affected T10 devices to trusted networks and restrict administrative access via firewall rules; (3) Implement network segmentation to prevent lateral movement if compromise occurs; (4) Disable unnecessary services and the upgrade function if operationally feasible; (5) Monitor device logs for POST requests to /cgi-bin/cstecgi.cgi with suspicious slaveIpList parameters; (6) Enforce strong authentication credentials on the device if it remains in use; (7) Consider replacing the device with patched alternatives from TOTOLINK or competitive vendors if firmware updates are not available within 30 days. Long-term: Track TOTOLINK security advisories and establish firmware update processes for all network equipment.