CVE-2025-5902: TOTOLINK T10 POST Request cstecgi.cgi setUpgradeFW buffer overflow
Description
A vulnerability was found in TOTOLINK T10 4.1.8cu.5207 and classified as critical. This issue affects the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument slaveIpList leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine kritische Schwachstelle wurde in TOTOLINK T10 4.1.8cu.5207 gefunden. Davon betroffen ist die Funktion setUpgradeFW der Datei /cgi-bin/cstecgi.cgi der Komponente POST Request Handler. Dank Manipulation des Arguments slaveIpList mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-5902
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
Vendor: TOTOLINK
Product: T10
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.08% (probability of being exploited)
EPSS Percentile: 23.95% (scored less or equal to compared to others)
EPSS Date: 2025-06-13 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5902https://vuldb.com/?id.311675
https://vuldb.com/?ctiid.311675
https://vuldb.com/?submit.592246
https://candle-throne-f75.notion.site/TOTOLINK-T10-setUpgradeFW-20bdf0aa11858089bc28f634bb140d00
https://www.totolink.net/