CVE-2025-14964
Published: 19 December 2025
Summary
CVE-2025-14964 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink T10 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of identified flaws, directly addressing the stack buffer overflow by patching the vulnerable sprintf usage in cstecgi.cgi.
SI-10 mandates validation of information inputs, preventing the manipulation of the loginAuthUrl argument that triggers the buffer overflow.
SI-16 implements memory protections such as stack canaries and ASLR, mitigating exploitation of the stack-based buffer overflow even if invalid input reaches the sprintf function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated stack-based buffer overflow in the router's public-facing web CGI interface (/cgi-bin/cstecgi.cgi), enabling arbitrary code execution and full device compromise, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability has been found in TOTOLINK T10 4.1.8cu.5083_B20200521. This affects the function sprintf of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument loginAuthUrl leads to stack-based buffer overflow. The attack may be performed from remote.
Deeper analysisAI
CVE-2025-14964 is a stack-based buffer overflow vulnerability affecting the TOTOLINK T10 router on firmware version 4.1.8cu.5083_B20200521. The flaw occurs in the sprintf function within the /cgi-bin/cstecgi.cgi file, triggered by manipulation of the loginAuthUrl argument. It is classified under CWE-119 and CWE-121, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
The vulnerability enables remote exploitation without requiring authentication, privileges, or user interaction. An attacker with network access can send crafted requests to overflow the stack, potentially achieving arbitrary code execution and full compromise of the device, including high impacts on confidentiality, integrity, and availability.
Advisories and details are documented in references such as the GitHub proof-of-concept at https://github.com/JackWesleyy/CVE/blob/main/TOTOLINK_T10_BOC.md and VulDB entries at https://vuldb.com/?ctiid.337599, https://vuldb.com/?id.337599, and https://vuldb.com/?submit.717720. Practitioners should check the vendor site at https://www.totolink.net/ for mitigation guidance or firmware patches.
Details
- CWE(s)