CVE Alert: CVE-2025-9782 - TOTOLINK - A702R

CVE-2025-9782

HIGHNo exploitation known

A vulnerability was found in TOTOLINK A702R 4.0.0-B20211108.1423. This vulnerability affects the function sub_4466F8 of the file /boafrm/formOneKeyAccessButton. Performing manipulation of the argument submit-url results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used.

CVSS v3.1 (8.8)

Vendor

TOTOLINK

Product

A702R

Versions

4.0.0-B20211108.1423

CWE

CWE-120, Buffer Overflow

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

Published

2025-09-01T14:02:07.534Z

Updated

2025-09-01T14:02:07.534Z

References

https://vuldb.com/?id.322084

https://vuldb.com/?ctiid.322084

https://vuldb.com/?submit.640990

https://github.com/rew1X/CVE/blob/main/TOTOLINK/A702R/formOneKeyAccessButton/formOneKeyAccessButton.md

https://github.com/rew1X/CVE/blob/main/TOTOLINK/A702R/formOneKeyAccessButton/formOneKeyAccessButton.md#poc

https://www.totolink.net/

AI Summary Analysis

Risk verdict

High risk of remote code execution on affected network devices; public PoC exists, so exploitation attempts are plausible though there is no explicit KEV/SSVC exploitation state provided.

Why this matters

An unauthenticated attacker (no user interaction) can trigger a buffer overflow over the network, potentially taking control of the device and exposing the internal network. The impact is high (C, I, A all affected) and could enable further data access or network pivot, particularly where management interfaces are reachable from the internet or poorly segmented.

Most likely attack path

An attacker with network access craftily submits a manipulated submit-url to the vulnerable endpoint, causing memory corruption. Requires low user interaction and low privileges, so insider or external attackers within network perimeter could exploit it; successful exploits could yield remote code execution within the device’s security boundary.

Who is most exposed

Devices deployed where admin interfaces are exposed to the internet or inadequately isolated from the LAN (typical consumer/SMB router deployments), especially with older firmware with the vulnerable endpoint enabled.

Detection ideas

Unusual requests to the formOneKeyAccessButton endpoint with crafted or anomalous submit-url values.
Network traffic spikes or anomalies on admin ports (HTTP/HTTPS) from the internet or untrusted networks.
Device reboots, crashes, or memory corruption logs indicating buffer overflow.
PoC indicators or exploitation attempts observed in IDS/IPS logs or application dumps.
Anomalous or repeated failed login attempts followed by unusual session activity.

Mitigation and prioritisation

Patch promptly: apply firmware updates addressing the vulnerability; verify vendor advisory and update guidance.
If patching is not feasible, disable remote management or restrict admin access to trusted networks or VPNs; implement strict access controls.
Network controls: segment IoT/edge devices from critical assets; enforce ingress/egress filtering for management traffic.
Monitoring: enable anomaly detection for endpoint crashes, memory errors, and admin-Interface abuse; log and alert on suspicious /boafrm/formOneKeyAccessButton activity.
Change-management: validate baseline configurations post-update; document remediation as a high-priority security change.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: a702r, CVE, cve-2025-9782, OSINT, threatintel, totolink