CVE-2025-67445
Published: 24 February 2026
Summary
CVE-2025-67445 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-67445 is a denial-of-service vulnerability in the TOTOLINK X5000R router firmware version V9.1.0cu.2415_B20250515. The flaw exists in the /cgi-bin/cstecgi.cgi script, which reads the CONTENT_LENGTH environment variable and allocates memory using malloc(CONTENT_LENGTH + 1) without sufficient bounds checking. When the lighttpd web server's request size limit is not enforced, this mishandling enables memory exhaustion or a segmentation fault in the management CGI.
The vulnerability can be exploited by any unauthenticated attacker with network access to the device. By crafting and sending a large POST request, the attacker triggers uncontrolled memory allocation, crashing the CGI process and rendering the web management interface unavailable. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-400 (Uncontrolled Resource Consumption).
Vendor guidance and further details, including potential patches or workarounds, are available at http://totolink.com. Additional technical analysis and a proof-of-concept are provided in the GitHub repository https://github.com/DaRkSpOoOk/CVE-2025-67445.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208091
Vulnerability details
TOTOLINK X5000R V9.1.0cu.2415_B20250515 contains a denial-of-service vulnerability in /cgi-bin/cstecgi.cgi. The CGI reads the CONTENT_LENGTH environment variable and allocates memory using malloc (CONTENT_LENGTH + 1) without sufficient bounds checking. When lighttpd s request size limit is not enforced, a crafted large…
more
POST request can cause memory exhaustion or a segmentation fault, leading to a crash of the management CGI and loss of availability of the web interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of the CGI memory allocation flaw enables application-layer DoS via crafted POST requests.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly protects against the denial-of-service attack by implementing limits on request sizes and resource consumption to prevent memory exhaustion from large POST requests.
Requires validation and bounds checking of the CONTENT_LENGTH environment variable before memory allocation to block uncontrolled malloc calls.
Enforces allocation limits on system resources like memory to mitigate exhaustion triggered by oversized inputs in the CGI script.