CVE-2025-6144: Totolink EX1200T Buffer Overflow Flaw

CVE-2025-6144 Overview

CVE-2025-6144 is a buffer overflow vulnerability affecting the TOTOLINK EX1200T Wi-Fi range extender running firmware version 4.1.2cu.5232_B20210713. The flaw resides in the HTTP POST request handler at the /boafrm/formSysCmd endpoint. Attackers can trigger the overflow by manipulating the submit-url parameter. The vulnerability is exploitable remotely and a public exploit disclosure exists. The weakness is classified under CWE-119, improper restriction of operations within the bounds of a memory buffer.

Critical Impact

Remote attackers with low-privileged access can corrupt memory on affected TOTOLINK EX1200T devices through a crafted HTTP POST request, potentially leading to arbitrary code execution or denial of service on the embedded router.

Affected Products

• TOTOLINK EX1200T hardware device
• TOTOLINK EX1200T firmware version 4.1.2cu.5232_B20210713
• Deployments exposing the device web management interface (/boafrm/formSysCmd)

Discovery Timeline

• 2025-06-16 - CVE-2025-6144 published to NVD
• 2025-06-23 - Last updated in NVD database

Technical Details for CVE-2025-6144

Vulnerability Analysis

The vulnerability exists in the boa web server component bundled with the TOTOLINK EX1200T firmware. The formSysCmd handler processes HTTP POST requests submitted to /boafrm/formSysCmd. The handler reads the submit-url parameter from the request body without enforcing proper length validation before copying the data into a fixed-size stack or heap buffer.

Because the handler runs as part of the router's HTTP daemon, successful exploitation grants the attacker control over the execution context of that process. On MIPS-based TOTOLINK devices, the HTTP service typically runs with elevated privileges, expanding the post-exploitation impact. The vulnerability requires network reachability to the management interface and low-privilege authentication on the device. The EPSS model places this issue in the 80th percentile for likelihood of observed exploitation activity.

Root Cause

The root cause is missing bounds checking on attacker-controlled input. The submit-url argument is copied into a buffer using an unsafe string-handling routine that does not respect the destination size. This pattern matches CWE-119, where operations on memory exceed the intended buffer boundary.

Attack Vector

An attacker sends a crafted HTTP POST request to /boafrm/formSysCmd with an oversized submit-url value. The request can be issued from any host that can reach the router's web interface, including LAN-side hosts and, where management access is exposed, internet-based attackers. The overflow overwrites adjacent memory, which can corrupt control flow data such as return addresses or function pointers used by the boa HTTP daemon.

No authenticated administrative session is required beyond the low-privilege access reflected in the CVSS metrics. Public proof-of-concept material referenced in GitHub PoC for CVE and VulDB #312619 documents the exploitation pattern.

The vulnerability manifests when the submit-url POST parameter exceeds the size of its destination buffer. See the GitHub CVE Documentation for the technical write-up and request structure.

Detection Methods for CVE-2025-6144

Indicators of Compromise

• HTTP POST requests to /boafrm/formSysCmd containing abnormally long submit-url parameter values
• Crashes, watchdog reboots, or repeated restarts of the boa HTTP daemon on TOTOLINK EX1200T devices
• Unexpected outbound connections originating from the router management plane following inbound POST traffic
• Configuration changes on the device that do not correlate with administrator activity

Detection Strategies

• Inspect HTTP request bodies destined for TOTOLINK EX1200T management interfaces for submit-url parameter lengths exceeding typical values
• Alert on POST requests to /boafrm/formSysCmd from non-administrative hosts or external networks
• Correlate router syslog events showing service restarts with preceding inbound HTTP traffic

Monitoring Recommendations

• Forward router syslog and HTTP access logs to a centralized logging platform for retention and analysis
• Baseline normal traffic patterns to the device management interface and flag deviations
• Monitor for scanning activity targeting /boafrm/ URI paths across the network perimeter

How to Mitigate CVE-2025-6144

Immediate Actions Required

• Restrict access to the EX1200T web management interface to trusted management VLANs or hosts only
• Disable remote WAN-side administration on affected devices
• Rotate device administrative credentials and enforce strong passwords to reduce the value of the low-privilege precondition
• Inventory deployed TOTOLINK EX1200T units and identify any running firmware 4.1.2cu.5232_B20210713

Patch Information

No vendor patch has been published in the referenced advisories at the time of NVD publication. Monitor the Totolink Official Website for firmware updates addressing the formSysCmd handler. Until a fixed firmware release is available, compensating controls are required.

Workarounds

• Place the device behind a firewall that blocks inbound HTTP and HTTPS to the management interface from untrusted networks
• Segment IoT and networking equipment onto a dedicated VLAN with no direct user or internet exposure
• Replace the affected device with a supported model if a firmware fix is not released by the vendor
• Disable any port forwarding or UPnP rules that expose the router management interface

# Example firewall rule to block external access to the management interface
# Adjust interface and management subnet to match the local environment
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -i <wan_iface> -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -i <wan_iface> -j DROP