CVE-2025-26008 – An unauthenticated stack overflow vulnerability... (How to Fix)

Q: What is the severity of CVE-2025-26008?

CVE-2025-26008 has a CVSS score of 9.8 (CRITICAL). An unauthenticated stack overflow vulnerability in Telesquare TLR-2005KSH routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the admin.cgi endpoint with the setSyncTimeHost parameter. This affects all users running version 1.1.4 of the firmware. Attackers can gain complete control of affected devices without authentication.

📋 TL;DR

An unauthenticated stack overflow vulnerability in Telesquare TLR-2005KSH routers allows remote attackers to execute arbitrary code by sending specially crafted requests to the admin.cgi endpoint with the setSyncTimeHost parameter. This affects all users running version 1.1.4 of the firmware. Attackers can gain complete control of affected devices without authentication.

💻 Affected Systems

Products:

Telesquare TLR-2005KSH

Versions: 1.1.4

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the vulnerable firmware version are affected regardless of configuration.

📦 What is this software?

Tlr 2005ksh Firmware by Telesquare

View all CVEs affecting Tlr 2005ksh Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting, credential theft, and botnet recruitment.

🟠

Likely Case

Remote code execution resulting in device takeover, configuration modification, and network surveillance capabilities.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub reference contains technical details and proof-of-concept information. Exploitation requires sending a crafted HTTP request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch is currently available. Monitor Telesquare's website for security updates and firmware releases.

🔧 Temporary Workarounds

Block admin.cgi Access

linux

Use firewall rules to block external access to the admin.cgi endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "admin.cgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "admin.cgi" --algo bm -j DROP

Network Segmentation

all

Isolate affected devices in separate VLANs with strict access controls

🧯 If You Can't Patch

Immediately disconnect affected devices from internet-facing interfaces
Implement strict network access controls limiting communication to/from affected devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System > Firmware Upgrade or via SSH with 'cat /etc/version'

Check Version:

cat /etc/version 2>/dev/null || grep -i version /proc/cpuinfo

Verify Fix Applied:

Verify firmware version is updated beyond 1.1.4 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'admin.cgi' with 'setSyncTimeHost' parameter
Unusual process execution or system modifications

Network Indicators:

HTTP POST requests to /admin.cgi with long parameter values
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (uri="*admin.cgi*" AND param="*setSyncTimeHost*")

📊 Metadata

CVE ID: CVE-2025-26008

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.41% exploit probability (61.1th percentile)

Published: March 26, 2025

Last Updated: April 1, 2025

🔗 References

https://github.com/Fan-24/Digging/blob/main/2/1.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26008, you might also want to check these: