CVE Alert: CVE-2025-12241 - TOTOLINK - A3300R

CVE-2025-12241

HIGHNo exploitation known

A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This impacts the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. The manipulation of the argument lang results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.

CVSS v3.1 (8.8)

Vendor

TOTOLINK

Product

A3300R

Versions

17.0.0cu.557_B20221024

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-10-27T07:02:10.780Z

Updated

2025-10-27T07:02:10.780Z

References

https://vuldb.com/?id.329911

https://vuldb.com/?ctiid.329911

https://vuldb.com/?submit.673723

https://github.com/noahze01/IoT-vulnerable/blob/main/TOTOLink/A3300R/setLanguageCfg.md

https://www.totolink.net/

AI Summary Analysis

Risk verdict

High risk: remote, publicly exploitable stack-based overflow with potential for immediate code execution on vulnerable devices.

Why this matters

The flaw enables immediate control of the device without user interaction, enabling traffic interception, DNS/routing manipulation, and lateral movement into internal networks. In environments where such devices handle WAN/LAN traffic, an attacker can disrupt connectivity, exfiltrate data, or pivot to connected hosts—impacting availability, integrity, and confidentiality.

Most likely attack path

An attacker could send a crafted request to the vulnerable web-facing CGI endpoint, triggering a stack overflow in the language-configuration handler. A successful overflow yields memory corruption and full compromise with no user interaction and no elevated privileges required beyond what the device already exposes. Once compromised, attacker code can persist or escalate, potentially aiding further network access.

Who is most exposed

Home and small business users deploying consumer-class routers with internet-facing management or lax WAN access controls are at greatest risk; devices exposed to the internet or with remote management enabled are particularly vulnerable.

Detection ideas

Alerts for anomalous POST requests to the management CGI endpoint with unusual lang values.
Crashes, reboots, or memory/dump logs tied to the device’s web service.
Sudden changes in traffic routing or DNS settings from the router.
Unusual CPU/memory spikes or instability during web service activity.
IDS/IPS matches for overflow-like payload patterns targeting CGI endpoints.

Mitigation and prioritisation

Apply the patched firmware once available; if patch delay, disable or tightly restrict WAN management and require VPN for admin access.
Block or restrict access to the vulnerable CGI endpoint; implement parameter-validation and WAF rules if possible.
Verify device configuration post-fix, rotate admin credentials, and monitor for anomalous router activity.
Schedule prompt remediation within the next maintenance window; perform in-test validation before broad rollout.
If KEV or EPSS data become available, adjust to priority 1 accordingly; otherwise treat as high-priority risk given public exploit exposure.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: a3300r, CVE, cve-2025-12241, OSINT, threatintel, totolink