EUVD-2025-17589
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
A vulnerability was found in TOTOLINK T10 4.1.8cu.5207 and classified as critical. This issue affects the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument slaveIpList leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Analysis
Critical remote buffer overflow vulnerability in TOTOLINK T10 firmware version 4.1.8cu.5207 affecting the setUpgradeFW function in the POST request handler. An authenticated remote attacker can exploit improper input validation on the slaveIpList parameter to achieve complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability has public exploit code available and represents an actively exploitable threat.
Technical Context
The vulnerability exists in the POST request handler component (/cgi-bin/cstecgi.cgi) of TOTOLINK T10 network equipment firmware. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), which encompasses classic buffer overflow conditions. The setUpgradeFW function fails to properly validate or sanitize the length of the 'slaveIpList' argument before copying it into a fixed-size buffer, allowing an attacker to write beyond buffer boundaries. This is a stack or heap-based buffer overflow that can corrupt adjacent memory structures, potentially enabling arbitrary code execution. The vulnerability is triggered through HTTP POST requests to the CGI handler, a common attack surface in embedded network devices.
Affected Products
TOTOLINK T10 firmware version 4.1.8cu.5207 and likely earlier versions in the 4.1.8cu branch. CPE representation: cpe:2.3:o:totolink:t10_firmware:4.1.8cu.5207:*:*:*:*:*:*:*. The T10 is a small business/SOHO router commonly deployed in retail and SMB environments. Affected hardware: TOTOLINK T10 (all revisions compatible with this firmware version). The vulnerability potentially affects other TOTOLINK products using similar firmware architecture and cstecgi.cgi implementations, though validation is required. No patched version has been publicly confirmed as available as of this analysis.
Remediation
Immediate actions: (1) Apply firmware patches from TOTOLINK if available—check TOTOLINK security advisories and product support pages for T10 firmware updates newer than 4.1.8cu.5207; (2) If patches are unavailable, isolate affected T10 devices to trusted networks and restrict administrative access via firewall rules; (3) Implement network segmentation to prevent lateral movement if compromise occurs; (4) Disable unnecessary services and the upgrade function if operationally feasible; (5) Monitor device logs for POST requests to /cgi-bin/cstecgi.cgi with suspicious slaveIpList parameters; (6) Enforce strong authentication credentials on the device if it remains in use; (7) Consider replacing the device with patched alternatives from TOTOLINK or competitive vendors if firmware updates are not available within 30 days. Long-term: Track TOTOLINK security advisories and establish firmware update processes for all network equipment.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today