CVE-2025-7912

HighPublic PoC

Published: 20 July 2025

Published

20 July 2025

Modified

23 July 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0065 70.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7912 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink T6 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates crafted inputs like the 's' argument to the recvSlaveUpgstatus function in the MQTT Service, preventing buffer overflow exploitation.

SI-16 Memory Protection good match

prevent

Enforces memory protections such as address space layout randomization and stack guards to mitigate unauthorized code execution from buffer overflows in the MQTT Service.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and patching of the specific buffer overflow flaw in TOTOLINK T6 firmware version 4.1.5cu.748_B20211015.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Buffer overflow in exposed MQTT service enables remote code execution from low-priv network access (T1190/T1210) and achieves privilege escalation to full device control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, which was classified as critical, has been found in TOTOLINK T6 4.1.5cu.748_B20211015. This issue affects the function recvSlaveUpgstatus of the component MQTT Service. The manipulation of the argument s leads to buffer overflow. The attack may be initiated…

remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-7912 is a critical buffer overflow vulnerability affecting the TOTOLINK T6 router running firmware version 4.1.5cu.748_B20211015. The issue resides in the recvSlaveUpgstatus function within the MQTT Service component, where manipulation of the argument "s" triggers the overflow. Classified under CWE-119 and CWE-120, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending crafted input to the affected function, they can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution, data compromise, or device disruption on the targeted router.

References including VulDB entries and a GitHub repository provide details on the vulnerability, with the latter disclosing a proof-of-concept exploit. No vendor advisories or patches are mentioned in the available information, emphasizing the need for practitioners to isolate affected devices and monitor for exploitation attempts until firmware updates are confirmed. The public disclosure of the exploit increases the risk of active use by threat actors.

Details

CWE(s): CWE-119 CWE-120

Affected Products

totolink

t6 firmware

v4.1.5cu.748_b20211015

CVEs Like This One

CVE-2025-8170Same product: Totolink T6

CVE-2025-7460Same product: Totolink T6

CVE-2025-7913Same product: Totolink T6

CVE-2025-7758Same product: Totolink T6

CVE-2025-7837Same product: Totolink T6

CVE-2025-7862Same product: Totolink T6

CVE-2025-7614Same product: Totolink T6

CVE-2025-7524Same product: Totolink T6

CVE-2025-7952Same product: Totolink T6

CVE-2025-7615Same product: Totolink T6

References

https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/6.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/6.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.317027
Permissions Required · cna@vuldb.com
https://vuldb.com/?id.317027
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.618655
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com