CVE-2025-67188
Published: 03 February 2026
Summary
CVE-2025-67188 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Totolink A950Rg Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validating the length of the user-controlled radvdinterfacename parameter to prevent the stack buffer overflow in the setRadvdCfg interface.
Requires timely remediation of the identified buffer overflow flaw in the ipv6.so module through firmware patching or updates.
Implements memory protections to mitigate exploitation of the stack buffer overflow even if input validation is insufficient.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote buffer overflow in public-facing router web interface enables arbitrary code execution with root privileges, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The issue resides in the setRadvdCfg interface of the /lib/cste_modules/ipv6.so module. The function fails to properly validate the length of the user-controlled radvdinterfacename parameter, allowing remote attackers to trigger a stack…
more
buffer overflow.
Deeper analysisAI
**CVE-2025-67188 Vulnerability Summary**
CVE-2025-67188 is a stack-based buffer overflow vulnerability in the TOTOLINK A950RG router running firmware version V4.1.2cu.5204_B20210112. The flaw resides in the `setRadvdCfg` interface of the `/lib/cste_modules/ipv6.so` module, where insufficient validation of the user-supplied `radvdinterfacename` parameter length allows overflow of a fixed-size stack buffer (CWE-120). Published on 2026-02-03 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a critical risk due to its simplicity and impact.
Unauthenticated remote attackers can exploit this over the network by sending a crafted HTTP request to the vulnerable endpoint, triggering the overflow without user interaction. Successful exploitation enables arbitrary code execution with root privileges on the device, potentially allowing full compromise, data exfiltration, persistent backdoor installation, or use as a pivot in larger network attacks.
The referenced GitHub advisory (https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-ipv6-setRadvdCfg-radvdinterfacename-buffer.md) provides proof-of-concept details, including vulnerable code snippets and exploit reproduction steps, but no vendor patches are mentioned. Security practitioners should immediately isolate affected devices, monitor for anomalous traffic to the web interface, and check for firmware updates from TOTOLINK; input sanitization or disabling the IPv6 module may serve as interim mitigations. No evidence of in-the-wild exploitation has been reported.
Details
- CWE(s)