CVE-2025-7460
Published: 11 July 2025
Summary
CVE-2025-7460 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink T6 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A buffer overflow vulnerability exists in the TOTOLINK T6 router firmware version 4.1.5cu.748_B20211015. It resides in the setWiFiAclRules function within the /cgi-bin/cstecgi.cgi component that handles HTTP POST requests. The flaw is triggered by unsanitized input to the mac argument and is tracked under CWE-119 and CWE-120.
An attacker with low-privileged network access can send a crafted POST request to trigger the overflow remotely. Successful exploitation yields full control over confidentiality, integrity, and availability on the affected device. A public proof-of-concept has already been published, and the CVSS 4.0 score of 7.4 reflects the combination of network reachability and high impact without user interaction.
The listed references consist of a GitHub disclosure containing the exploit details and corresponding Vuldb entries; none of the sources describe vendor patches, firmware updates, or specific mitigation steps. The associated EPSS score remains low and stable near 0.0136 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21189
Vulnerability details
A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument mac leads to…
more
buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the public-facing web interface (/cgi-bin/cstecgi.cgi) of the TOTOLINK T6 router enables remote exploitation of a public-facing application for potential remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates and sanitizes the 'mac' argument in HTTP POST requests to the setWiFiAclRules function, directly preventing the buffer overflow vulnerability.
Enforces memory protections like address space layout randomization and non-executable stacks to block exploitation of the buffer overflow for arbitrary code execution.
Mandates timely flaw remediation through firmware patching for the specific buffer overflow in TOTOLINK T6 version 4.1.5cu.748_B20211015.