CVE-2025-63465 Overview
CVE-2025-63465 is a stack overflow vulnerability in the Totolink LR350 router running firmware version 9.3.5u.6369_B20220309. The flaw resides in the sub_422880 function and is triggered through the ssid parameter. Remote attackers can send a crafted request to overflow the stack buffer and cause a Denial of Service (DoS) condition on the device. The vulnerability is classified under [CWE-121] Stack-based Buffer Overflow and requires no authentication or user interaction to exploit.
Critical Impact
Unauthenticated remote attackers can crash the router and disrupt network connectivity by sending a malformed ssid parameter to the affected endpoint.
Affected Products
- Totolink LR350 router (hardware)
- Totolink LR350 firmware version 9.3.5u.6369_B20220309
- Deployments exposing the affected web interface to untrusted networks
Discovery Timeline
- 2025-10-31 - CVE-2025-63465 published to the National Vulnerability Database (NVD)
- 2025-11-05 - Last updated in NVD database
Technical Details for CVE-2025-63465
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow in the sub_422880 function of the Totolink LR350 firmware. The function processes the ssid parameter from an incoming HTTP request without enforcing a maximum length on the input. When the supplied value exceeds the fixed-size stack buffer, adjacent stack memory is overwritten, corrupting saved registers and the return address.
The condition reliably crashes the request-handling process, producing a Denial of Service on the router. Because the device serves as the network gateway, a successful attack disrupts connectivity for all clients behind it. Exploitation requires only network reachability to the affected service, with no credentials or user interaction.
Root Cause
The root cause is the absence of bounds checking when copying the user-supplied ssid value into a fixed-size stack buffer inside sub_422880. The firmware uses an unsafe string-copy operation without validating input length against the destination size. This pattern is common in embedded MIPS/ARM router binaries that rely on strcpy-style routines.
Attack Vector
An attacker sends a crafted HTTP request to the router's management interface with an oversized ssid parameter. The malformed request reaches sub_422880, where the unchecked copy operation overflows the stack buffer and triggers a crash. Exploitation is network-based and requires no authentication. The current public report describes only DoS impact; memory corruption-based code execution has not been demonstrated.
The vulnerability is described in prose in the public GitHub Vulnerability Report; no verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2025-63465
Indicators of Compromise
- Unexpected reboots or crashes of the Totolink LR350 router coinciding with inbound HTTP requests
- HTTP requests to the router's web interface containing abnormally long ssid parameter values
- Loss of LAN or WAN connectivity for clients behind the router without a corresponding administrative action
Detection Strategies
- Inspect HTTP traffic to the router management interface for ssid parameter values exceeding expected lengths (typically 32 bytes per IEEE 802.11)
- Monitor router availability with ICMP or SNMP polling and alert on repeated unplanned restarts
- Correlate router crash events with source IPs that issued requests immediately prior to the outage
Monitoring Recommendations
- Forward router syslog output to a central collector and alert on watchdog or process-restart messages
- Track inbound connections to the router's HTTP/HTTPS administrative ports from non-management subnets
- Baseline normal request patterns to the device and flag anomalous parameter sizes or request rates
How to Mitigate CVE-2025-63465
Immediate Actions Required
- Restrict access to the router's management interface to trusted internal management VLANs only
- Block inbound WAN access to the HTTP/HTTPS administration ports on the LR350
- Audit firmware versions across the fleet and identify all devices running 9.3.5u.6369_B20220309
- Monitor the Totolink support site for an updated firmware release addressing this CVE
Patch Information
At the time of publication, no vendor advisory or fixed firmware version has been published for CVE-2025-63465. The only public reference is the GitHub Vulnerability Report. Administrators should track vendor channels for a firmware update and apply it as soon as it becomes available.
Workarounds
- Place the router behind an upstream firewall that filters unsolicited inbound traffic to the management interface
- Disable remote management features that expose the web interface to untrusted networks
- Segment guest and untrusted Wi-Fi clients away from the management VLAN to limit attack surface
- Consider replacing affected devices with supported hardware if a vendor patch is not released in a timely manner
# Example: block inbound WAN access to router admin ports on an upstream firewall (iptables)
iptables -A FORWARD -d <router_wan_ip> -p tcp -m multiport --dports 80,443,8080 -j DROP
iptables -A FORWARD -d <router_wan_ip> -p tcp --dport 22 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

