CVE-2025-60684

A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (sub_42F32C function). The web interface reads the "lang" parameter and constructs Help URL strings using sprintf() into fixed-size stack buffers without proper length validation. Maliciously crafted input can overflow these buffers, potentially leading to arbitrary code execution or memory corruption, without requiring authentication.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
http://totolink.com	Broken Link
https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60684.md	Exploit Third Party Advisory
https://www.totolink.net/	Product

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:totolink:lr1200gb_firmware:9.1.0u.6619_b20230130:*:*:*:*:*:*:*

cpe:2.3:h:totolink:lr1200gb:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:totolink:nr1800x_firmware:9.1.0u.6681_b20230703:*:*:*:*:*:*:*

cpe:2.3:h:totolink:nr1800x:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-13 16:15

Updated : 2025-11-24 15:33

NVD link : CVE-2025-60684

Mitre link : CVE-2025-60684

CVE.ORG link : CVE-2025-60684

JSON object : View

Products Affected

totolink

lr1200gb_firmware
nr1800x
nr1800x_firmware
lr1200gb

CWE

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2025-60684", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-11-13T16:15:52.337", "references": [{"url": "http://totolink.com", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60684.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.totolink.net/", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "A stack buffer overflow vulnerability exists in the ToToLink LR1200GB (V9.1.0u.6619_B20230130) and NR1800X (V9.1.0u.6681_B20230703) Router firmware within the cstecgi.cgi binary (sub_42F32C function). The web interface reads the \"lang\" parameter and constructs Help URL strings using sprintf() into fixed-size stack buffers without proper length validation. Maliciously crafted input can overflow these buffers, potentially leading to arbitrary code execution or memory corruption, without requiring authentication."}], "lastModified": "2025-11-24T15:33:48.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:totolink:lr1200gb_firmware:9.1.0u.6619_b20230130:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00F36DE9-D043-4C8B-9EF9-8DA669589E85"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:totolink:lr1200gb:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8442849E-5B06-41A1-8DA8-827FBD7A34E5"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:totolink:nr1800x_firmware:9.1.0u.6681_b20230703:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7F9DCAA5-1EC6-44A1-9606-B6FBF29DEC65"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:totolink:nr1800x:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B4D2D0E8-2678-4238-8229-83450ECA1153"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}