CVE-2025-2097
Published: 07 March 2025
Summary
CVE-2025-2097 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A stack-based buffer overflow vulnerability exists in the TOTOLINK EX1800T wireless router running firmware version 9.1.0cu.2112_B20220316. The flaw resides in the setRptWizardCfg function of /cgi-bin/cstecgi.cgi, where improper handling of the loginpass argument allows an attacker to overwrite the stack. It is tracked as CVE-2025-2097, carries a CVSS 4.0 score of 8.7, and is also associated with CWE-119, CWE-121, and CWE-787.
An authenticated remote attacker can send a crafted HTTP request to the management interface to trigger the overflow. Successful exploitation grants the attacker the ability to execute arbitrary code or crash the device, resulting in high impact to confidentiality, integrity, and availability without requiring user interaction.
Public exploit code has been published on GitHub, and the issue was disclosed through VulDB. The vendor site is referenced in the advisories, yet no specific patch or mitigation guidance is detailed in the available references.
EPSS for this CVE rose from lower values at disclosure to a peak of 0.1522 on 2026-04-16 before receding to the current 0.0674, indicating that exploitation interest increased after the vulnerability became public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7496
Vulnerability details
A vulnerability, which was classified as critical, has been found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. This issue affects the function setRptWizardCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument loginpass leads to stack-based buffer overflow. The attack may be initiated…
more
remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack-based buffer overflow in the router's public-facing web CGI (/cgi-bin/cstecgi.cgi) directly enables remote exploitation of a public-facing application for arbitrary code execution, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires applying vendor firmware patches to directly eliminate the stack-based buffer overflow in the setRptWizardCfg function of cstecgi.cgi.
Information input validation enforces bounds checking on the loginpass argument to prevent stack-based buffer overflows from malformed or oversized inputs.
Memory protection mechanisms such as stack canaries and non-executable memory prevent successful exploitation of the stack buffer overflow for arbitrary code execution.