CVE-2025-60684 – A stack buffer overflow vulnerability in ToToLi... (How to Fix)

Q: What is the severity of CVE-2025-60684?

CVE-2025-60684 has a CVSS score of 6.5 (MEDIUM). A stack buffer overflow vulnerability in ToToLink router firmware allows unauthenticated attackers to execute arbitrary code or cause memory corruption by sending specially crafted 'lang' parameter values to the web interface. This affects ToToLink LR1200GB and NR1800X routers running specific vulnerable firmware versions. Attackers can exploit this remotely without authentication.

📋 TL;DR

A stack buffer overflow vulnerability in ToToLink router firmware allows unauthenticated attackers to execute arbitrary code or cause memory corruption by sending specially crafted 'lang' parameter values to the web interface. This affects ToToLink LR1200GB and NR1800X routers running specific vulnerable firmware versions. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

ToToLink LR1200GB
ToToLink NR1800X

Versions: LR1200GB: V9.1.0u.6619_B20230130, NR1800X: V9.1.0u.6681_B20230703

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the cstecgi.cgi binary's sub_42F32C function. All devices running these specific firmware versions are vulnerable by default.

📦 What is this software?

Lr1200gb Firmware by Totolink

View all CVEs affecting Lr1200gb Firmware →

Nr1800x Firmware by Totolink

View all CVEs affecting Nr1800x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete router compromise, network traffic interception, credential theft, and lateral movement into connected networks.

🟠

Likely Case

Router crash/reboot causing service disruption, or limited code execution allowing network reconnaissance and persistence.

🟢

If Mitigated

Denial of service from failed exploitation attempts if memory protections are enabled.

🌐 Internet-Facing: HIGH - The vulnerability is in the web interface which is typically internet-facing on routers, and exploitation requires no authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to compromise the router and pivot to other network segments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains analysis and likely exploit code. The vulnerability is straightforward to exploit due to lack of authentication and simple buffer overflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

1. Check ToToLink website for firmware updates. 2. If update available, download and upload via router admin interface. 3. Reboot router after update. 4. Verify new firmware version.

🔧 Temporary Workarounds

Disable WAN access to web interface

all

Prevent external access to the vulnerable web interface component

Access router admin interface -> Security/Firewall -> Disable remote management/remote access

Network segmentation

all

Isolate affected routers in separate network segments

Configure VLANs to separate router management traffic from user traffic

🧯 If You Can't Patch

Replace affected routers with different models/vendors
Implement strict network access controls to limit traffic to router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version matches affected versions, device is vulnerable.

Check Version:

Access router web interface at http://[router-ip] and check firmware version in System/Status section

Verify Fix Applied:

Verify firmware version has changed to a newer version not listed in affected versions.

📡 Detection & Monitoring

Log Indicators:

Multiple failed HTTP requests to cstecgi.cgi with long lang parameters
Router crash/reboot logs
Unusual outbound connections from router

Network Indicators:

HTTP requests to router with unusually long 'lang' parameter values
Traffic patterns suggesting router compromise

SIEM Query:

http.url:*cstecgi.cgi* AND http.param:*lang=* AND (http.param.length > 100 OR contains(http.param, 'overflow'))

📊 Metadata

CVE ID: CVE-2025-60684

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE: CWE-121

EPSS Score: 0.43% exploit probability (61.8th percentile)

Published: November 13, 2025

Last Updated: November 24, 2025

🔗 References

http://totolink.com Broken Link
https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60684.md Exploit,Third Party Advisory
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60684, you might also want to check these: