CVE-2025-12240
Published: 27 October 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-12240 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the TOTOLINK A3300R router on firmware version 17.0.0cu.557_B20221024. The flaw exists in the setDmzCfg function of the /cgi-bin/cstecgi.cgi component, where manipulation of the "ip" argument triggers the overflow. Published on 2025-10-27, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated user, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact consequences, including unauthorized access to sensitive data, modification of system integrity, and denial of service through availability disruption.
Advisories note that a proof-of-concept exploit has been publicly disclosed on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/TOTOLink/A3300R/setDmzCfg.md, and it may be used in attacks. Additional details are available via VulDB (https://vuldb.com/?ctiid.329910, https://vuldb.com/?id.329910, https://vuldb.com/?submit.673722), with the vendor site at https://www.totolink.net/ for potential patches or further guidance.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The buffer overflow in the router's public-facing web CGI endpoint (/cgi-bin/cstecgi.cgi setDmzCfg) enables remote code execution without authentication, directly mapping to exploitation of public-facing applications (T1190) and remote services (T1210).