CVE-2025-2097
Published: 07 March 2025
Summary
CVE-2025-2097 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires applying vendor firmware patches to directly eliminate the stack-based buffer overflow in the setRptWizardCfg function of cstecgi.cgi.
Information input validation enforces bounds checking on the loginpass argument to prevent stack-based buffer overflows from malformed or oversized inputs.
Memory protection mechanisms such as stack canaries and non-executable memory prevent successful exploitation of the stack buffer overflow for arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack-based buffer overflow in the router's public-facing web CGI (/cgi-bin/cstecgi.cgi) directly enables remote exploitation of a public-facing application for arbitrary code execution, matching T1190.
NVD Description
A vulnerability, which was classified as critical, has been found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. This issue affects the function setRptWizardCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument loginpass leads to stack-based buffer overflow. The attack may be initiated…
more
remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2097 is a critical stack-based buffer overflow vulnerability (CWE-119, CWE-121, CWE-787) in the TOTOLINK EX1800T router running firmware version 9.1.0cu.2112_B20220316. The flaw resides in the setRptWizardCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the loginpass argument triggers the overflow. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.
Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling arbitrary code execution on the affected device.
Advisories from VulDB detail the vulnerability and reference a publicly disclosed exploit, while the vendor's site at totolink.net may provide firmware updates or mitigation guidance. Security practitioners should review these resources for patches, as no specific mitigation details are outlined in the core CVE description.
A proof-of-concept exploit is publicly available on GitHub, increasing the risk of real-world abuse against unpatched TOTOLINK EX1800T devices.
Details
- CWE(s)