Login Sign Up

CVE-2025-9780

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability is a remote buffer overflow in TOTOLINK A702R routers affecting the formIpQoS function. Attackers can exploit it remotely by manipulating MAC address arguments, potentially leading to arbitrary code execution. Only TOTOLINK A702R routers with specific firmware versions are affected.

💻 Affected Systems

Products:
  • TOTOLINK A702R
Versions: 4.0.0-B20211108.1423
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface function formIpQoS. The vulnerability is in the firmware itself, not dependent on specific configurations.

📦 What is this software?

A702r Firmware by Totolink

View all CVEs affecting A702r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers can execute arbitrary code with router privileges, potentially taking full control of the device, intercepting network traffic, or using it as a foothold for further attacks.

🟠

Likely Case

Remote code execution leading to device compromise, enabling attackers to modify router settings, intercept traffic, or deploy malware.

🟢

If Mitigated

If properly segmented and firewalled, impact is limited to the router itself, though it could still be used for traffic interception or as a pivot point.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available on GitHub. The vulnerability requires no authentication and has straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware for A702R. 3. Access router web interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the router's web interface

Network Segmentation

all

Isolate router management interface to trusted network segments only

🧯 If You Can't Patch

  • Replace affected routers with patched or different models
  • Implement strict network access controls to limit exposure of router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Status > Firmware Version

Check Version:

Check via router web interface; no direct CLI command available

Verify Fix Applied:

Verify firmware version is newer than 4.0.0-B20211108.1423

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /boafrm/formIpQoS with malformed MAC addresses
  • Multiple failed login attempts followed by formIpQoS access

Network Indicators:

  • Unusual traffic patterns from router IP
  • Exploit payloads in HTTP requests to router management interface

SIEM Query:

http.url:*formIpQoS AND (http.method:POST OR http.status_code:500)

📊 Metadata

CVE ID: CVE-2025-9780
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.4% exploit probability (60.2th percentile)
Published: September 1, 2025
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9780, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)