CVE-2025-5792 – A critical buffer overflow vulnerability in TOT... (How to Fix)

Q: What is the severity of CVE-2025-5792?

CVE-2025-5792 has a CVSS score of 8.8 (HIGH). A critical buffer overflow vulnerability in TOTOLINK EX1200T routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the /boafrm/formWlanRedirect endpoint. This affects users of TOTOLINK EX1200T routers running firmware version 4.1.2cu.5232_B20210713. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

A critical buffer overflow vulnerability in TOTOLINK EX1200T routers allows remote attackers to execute arbitrary code by sending specially crafted HTTP POST requests to the /boafrm/formWlanRedirect endpoint. This affects users of TOTOLINK EX1200T routers running firmware version 4.1.2cu.5232_B20210713. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

TOTOLINK EX1200T

Versions: 4.1.2cu.5232_B20210713

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the HTTP POST request handler component specifically when processing the redirect-url parameter.

📦 What is this software?

Ex1200t Firmware by Totolink

View all CVEs affecting Ex1200t Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence installation, network pivoting, and data exfiltration.

🟠

Likely Case

Remote code execution allowing attackers to modify router settings, intercept traffic, or use the device as a botnet node.

🟢

If Mitigated

Denial of service or limited impact if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via HTTP requests, making internet-facing devices immediately vulnerable.

🏢 Internal Only: HIGH - Even internally, any device with network access to the router can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on GitHub, making this easily weaponizable by attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Block HTTP access to router

linux

Prevent external access to router web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable remote management

all

Turn off remote administration features in router settings

🧯 If You Can't Patch

Segment router management interface to isolated VLAN
Implement strict network access controls allowing only trusted IPs to access router management

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface or using curl: curl -X POST http://router-ip/boafrm/formWlanRedirect with test payload

Check Version:

curl -s http://router-ip/ or check router admin interface System Status page

Verify Fix Applied:

Verify firmware version is updated beyond 4.1.2cu.5232_B20210713 and test exploit no longer works

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /boafrm/formWlanRedirect
Unusual buffer overflow errors in router logs
Failed authentication attempts followed by exploit attempts

Network Indicators:

HTTP POST requests with long redirect-url parameters
Traffic patterns matching known exploit signatures
Unusual outbound connections from router

SIEM Query:

source="router_logs" AND (url="/boafrm/formWlanRedirect" OR message="*buffer overflow*")

📊 Metadata

CVE ID: CVE-2025-5792

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.43% exploit probability (62th percentile)

Published: June 6, 2025

Last Updated: June 12, 2025

🔗 References

https://github.com/byxs0x0/cve2/blob/main/1.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.311339 Permissions Required
https://vuldb.com/?id.311339 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.591220 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5792, you might also want to check these: