CVE-2025-8170
Published: 25 July 2025
Summary
CVE-2025-8170 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink T6 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the serverIp argument in the tcpcheck_net function to prevent buffer overflow exploitation.
Implements memory safeguards like address space layout randomization and data execution prevention to mitigate buffer overflow leading to arbitrary code execution.
Requires timely remediation of the known buffer overflow flaw in the MQTT Packet Handler via firmware updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote buffer overflow in the router's MQTT packet handler (/router/meshSlaveDlfw tcpcheck_net serverIp) enables exploitation of a public-facing web endpoint or remote service for remote code execution.
NVD Description
A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748_B20211015. This vulnerability affects the function tcpcheck_net of the file /router/meshSlaveDlfw of the component MQTT Packet Handler. The manipulation of the argument serverIp leads to buffer overflow. The attack can…
more
be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-8170 is a critical buffer overflow vulnerability affecting the TOTOLINK T6 router firmware version 4.1.5cu.748_B20211015. The flaw resides in the tcpcheck_net function within the file /router/meshSlaveDlfw of the MQTT Packet Handler component, triggered by manipulation of the serverIp argument. Published on 2025-07-25, it is associated with CWEs-119 and CWE-120, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing low privileges. Successful manipulation allows attackers to trigger a buffer overflow, potentially resulting in high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution on the affected device.
Advisories and a proof-of-concept exploit are documented in public references, including GitHub at https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/9.md and https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/9.md#poc, as well as VulDB entries at https://vuldb.com/?ctiid.317584, https://vuldb.com/?id.317584, and https://vuldb.com/?submit.620834.
The exploit has been disclosed to the public and may be used in attacks.
Details
- CWE(s)