CVE-2025-12259
Published: 27 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12259 is a stack-based buffer overflow vulnerability affecting the TOTOLINK A3300R router on firmware version 17.0.0cu.557_B20221024. The issue lies in the setScheduleCfg function within the /cgi-bin/cstecgi.cgi file, part of the POST Parameter Handler component, where manipulation of the recHour argument triggers the overflow.
The vulnerability enables remote exploitation over the network with low complexity and low privileges required (PR:L), without user interaction (UI:N). Per its CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful attacks can result in high impacts to confidentiality, integrity, and availability, associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
Advisories reference a published exploit on GitHub at https://github.com/noahze01/IoT-vulnerable/blob/main/TOTOLink/A3300R/setScheduleCfg.md, along with VulDB entries (https://vuldb.com/?ctiid.329930, https://vuldb.com/?id.329930, https://vuldb.com/?submit.673726) and the vendor site https://www.totolink.net/. The exploit is available for use, but no specific patches or mitigations are detailed in the provided references.
Notable context includes the public availability of the exploit, indicating heightened risk for real-world exploitation against unpatched TOTOLINK A3300R devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in the remotely accessible web CGI endpoint (/cgi-bin/cstecgi.cgi setScheduleCfg via recHour POST parameter) enables remote code execution, aligning with exploitation of a public-facing application.