CVE-2025-2370

HighPublic PoC

Published: 17 March 2025

Published

17 March 2025

Modified

07 April 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0039 60.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2370 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the apcliSsid input to prevent stack-based buffer overflow in the setWiFiExtenderConfig function.

SI-16 Memory Protection good match

prevent

Enforces memory protections like stack canaries and non-executable memory to block exploitation of the stack-based buffer overflow.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation via firmware patching to eliminate the buffer overflow vulnerability in cstecgi.cgi.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in public-facing CGI endpoint (/cgi-bin/cstecgi.cgi) enables remote arbitrary code execution on the router with low privileges, directly mapping to exploitation of public-facing applications for initial access and device compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was found in TOTOLINK EX1800T up to 9.1.0cu.2112_B20220316. It has been declared as critical. Affected by this vulnerability is the function setWiFiExtenderConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument apcliSsid leads to stack-based buffer overflow. The…

attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-2370 is a critical stack-based buffer overflow vulnerability affecting TOTOLINK EX1800T router firmware versions up to 9.1.0cu.2112_B20220316. The flaw exists in the setWiFiExtenderConfig function of the /cgi-bin/cstecgi.cgi component, where manipulation of the apcliSsid argument triggers the overflow. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 8.8.

The vulnerability enables remote exploitation by an attacker with low privileges over the network. Per the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it requires low attack complexity, no user interaction, and unchanged scope, allowing high impacts on confidentiality, integrity, and availability. This could result in arbitrary code execution or device compromise.

VulDB advisories (ctiid.299869, id.299869, submit.515329) document the issue and note that an exploit has been publicly disclosed. A proof-of-concept is available on GitHub at https://github.com/kn0sky/cve/blob/main/TOTOLINK%20EX1800T/Stack-based%20Buffer%20Overflow%2003%20setWiFiExtenderConfig-_apcliSsid.md, which may facilitate active attacks. The vendor site at https://www.totolink.net/ provides general support, but no specific patch details are outlined in the references.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

totolink

ex1800t firmware

≤ 9.1.0cu.2112_b20220316

CVEs Like This One

CVE-2025-2097Same product: Totolink Ex1800T

CVE-2025-2369Same product: Totolink Ex1800T

CVE-2025-1852Same product: Totolink Ex1800T

CVE-2025-2096Same product: Totolink Ex1800T

CVE-2025-2094Same product: Totolink Ex1800T

CVE-2025-2095Same product: Totolink Ex1800T

CVE-2025-12259Same vendor: Totolink

CVE-2025-12260Same vendor: Totolink

CVE-2025-12241Same vendor: Totolink

CVE-2026-26732Same vendor: Totolink

References

https://github.com/kn0sky/cve/blob/main/TOTOLINK%20EX1800T/Stack-based%20Buffer%20Overflow%2003%20setWiFiExtenderConfig-_apcliSsid.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.299869
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.299869
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.515329
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com