CVE-2025-67186

CriticalPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0120 79.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability in the setUrlFilterRules interface of /lib/cste_modules/firewall.so. The vulnerability occurs because the `url` parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code…

execution or denial of service.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of length validation on the 'url' parameter in the setUrlFilterRules interface, preventing buffer overflow exploitation.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the identified buffer overflow flaw through patching or firmware updates to eliminate the vulnerability.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and stack canaries to mitigate successful buffer overflow exploitation even if input validation fails.

Security SummaryAI

TOTOLINK A950RG routers running firmware version V4.1.2cu.5204_B20210112 are affected by CVE-2025-67186, a buffer overflow vulnerability (CWE-120) in the setUrlFilterRules interface within the /lib/cste_modules/firewall.so library. The issue arises because the `url` parameter lacks proper length validation, enabling attackers to overflow the buffer. Published on 2026-02-03, this vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact exploitation.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction by sending specially crafted requests to the affected interface. Successful exploitation may result in arbitrary code execution on the device or denial of service, allowing full compromise of the router's functionality, including potential network pivoting or persistence in IoT environments.

Mitigation details are available in the primary advisory reference at https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setUrlFliterRules-url-buffer.md, which likely includes technical analysis and proof-of-concept information for practitioners to assess and address the issue. No vendor patches are specified in available data.

Details

CWE(s): CWE-120

Affected Products

totolink

a950rg firmware

4.1.2cu.5204_b20210112

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in unauthenticated public-facing router web interface enables remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setUrlFliterRules-url-buffer.md
Exploit, Third Party Advisory · cve@mitre.org