CVE-2025-8138
Published: 25 July 2025
Summary
CVE-2025-8138 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink A702R Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the submit-url argument in the HTTP POST request handler to prevent buffer overflow triggered by malformed inputs.
Implements memory protections such as stack canaries, ASLR, and DEP to mitigate exploitation of the buffer overflow for arbitrary code execution.
Requires timely remediation of the known buffer overflow flaw through firmware updates or patches for the TOTOLINK A702R router.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in the router's public-facing web management interface (/boafrm/formOneKeyAccessButton) enables exploitation for initial access (T1190) and denial of service via application exploitation (T1499.004), with public PoC available.
NVD Description
A vulnerability was found in TOTOLINK A702R 4.0.0-B20230721.1521 and classified as critical. Affected by this issue is some unknown functionality of the file /boafrm/formOneKeyAccessButton of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer…
more
overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-8138 is a critical buffer overflow vulnerability affecting the TOTOLINK A702R router running firmware version 4.0.0-B20230721.1521. The issue resides in an unknown functionality of the /boafrm/formOneKeyAccessButton component within the HTTP POST Request Handler, where manipulation of the "submit-url" argument triggers the overflow. Classified under CWE-119 and CWE-120, it carries a CVSS v3.1 base score of 8.8, reflecting high severity due to its potential for significant impact.
The vulnerability can be exploited remotely by an attacker with low privileges over the network, requiring low attack complexity and no user interaction. Successful exploitation of the buffer overflow could grant high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution or system compromise on the affected device.
Advisories from VulDB and a related GitHub repository detail the vulnerability and provide a public proof-of-concept exploit in the formOneKeyAccessButton.md file. The vendor's website at totolink.net is referenced, though no specific patches or mitigations are outlined in the available disclosures.
The exploit has been publicly disclosed, increasing the risk of widespread abuse against unpatched TOTOLINK A702R devices.
Details
- CWE(s)