CVE-2025-63466 – This vulnerability is a stack overflow in the T... (How to Fix)

📋 TL;DR

This vulnerability is a stack overflow in the Totolink LR350 router's password parameter handling that allows attackers to cause Denial of Service (DoS) via crafted requests. Attackers can crash the device or potentially execute arbitrary code. Organizations using Totolink LR350 routers with vulnerable firmware are affected.

💻 Affected Systems

Products:

Totolink LR350

Versions: v9.3.5u.6369_B20220309

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed

📦 What is this software?

Lr350 Firmware by Totolink

View all CVEs affecting Lr350 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistent backdoor installation, and network infiltration

🟠

Likely Case

Denial of Service causing router crashes and network disruption requiring physical reset

🟢

If Mitigated

Limited to DoS impact with proper network segmentation and access controls

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible to attackers

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub; exploitation requires sending crafted requests to vulnerable endpoint

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates
2. Download latest firmware for LR350
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Network Segmentation

all

Isolate router management interface from untrusted networks

Access Control Lists

linux

Restrict access to router management interface to trusted IPs only

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Replace vulnerable router with updated model or different vendor
Implement network monitoring for exploitation attempts and anomalous traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System Status or Firmware Upgrade section

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep -i version

Verify Fix Applied:

Verify firmware version is newer than v9.3.5u.6369_B20220309 and test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

Repeated connection attempts to vulnerable endpoint
Router crash/reboot events in system logs
Unusual large password parameter values in web logs

Network Indicators:

HTTP POST requests with abnormally long password parameters to router management interface
Traffic patterns indicating DoS attempts

SIEM Query:

source="router_logs" AND ("sub_426EF8" OR "password parameter overflow" OR "connection reset" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2025-63466

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.27% exploit probability (50.4th percentile)

Published: October 31, 2025

Last Updated: November 5, 2025

🔗 References

https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/LR350/7/1.md Exploit,Third Party Advisory
https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/LR350/7/1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63466, you might also want to check these: