CVE-2025-12259
Published: 27 October 2025
Summary
CVE-2025-12259 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the recHour POST parameter in setScheduleCfg to prevent the stack-based buffer overflow from invalid inputs.
Mandates identification, reporting, and correction of the specific buffer overflow flaw in the cstecgi.cgi handler, including timely patching.
Implements memory safeguards like stack canaries, ASLR, and DEP to protect against exploitation of the stack buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the remotely accessible web CGI endpoint (/cgi-bin/cstecgi.cgi setScheduleCfg via recHour POST parameter) enables remote code execution, aligning with exploitation of a public-facing application.
NVD Description
A flaw has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. This manipulation of the argument recHour causes stack-based buffer overflow. It is possible to…
more
initiate the attack remotely. The exploit has been published and may be used.
Deeper analysisAI
CVE-2025-12259 is a stack-based buffer overflow vulnerability affecting the TOTOLINK A3300R router on firmware version 17.0.0cu.557_B20221024. The issue lies in the setScheduleCfg function within the /cgi-bin/cstecgi.cgi file, part of the POST Parameter Handler component, where manipulation of the recHour argument triggers the overflow.
The vulnerability enables remote exploitation over the network with low complexity and low privileges required (PR:L), without user interaction (UI:N). Per its CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful attacks can result in high impacts to confidentiality, integrity, and availability, associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
Advisories reference a published exploit on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/TOTOLink/A3300R/setScheduleCfg.md, along with VulDB entries (https://vuldb.com/?ctiid.329930, https://vuldb.com/?id.329930, https://vuldb.com/?submit.673726) and the vendor site https://www.totolink.net/. The exploit is available for use, but no specific patches or mitigations are detailed in the provided references.
Notable context includes the public availability of the exploit, indicating heightened risk for real-world exploitation against unpatched TOTOLINK A3300R devices.
Details
- CWE(s)