CVE-2025-67189 Overview
CVE-2025-67189 is a buffer overflow vulnerability [CWE-120] affecting the TOTOLINK A950RG router running firmware version 4.1.2cu.5204_B20210112. The flaw resides in the setParentalRules interface, where the urlKeyword parameter receives no length validation before being concatenated into a fixed-size stack buffer. An attacker on an adjacent network can send a crafted request to trigger memory corruption. Successful exploitation results in denial of service and may enable arbitrary code execution on the device.
Critical Impact
Adjacent network attackers can crash the router or potentially execute arbitrary code by sending an oversized urlKeyword parameter to the setParentalRules endpoint.
Affected Products
- TOTOLINK A950RG router (hardware)
- TOTOLINK A950RG firmware version 4.1.2cu.5204_B20210112
- Any deployments exposing the web management interface on an adjacent network segment
Discovery Timeline
- 2026-02-03 - CVE-2025-67189 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-67189
Vulnerability Analysis
The vulnerability exists in the setParentalRules handler of the TOTOLINK A950RG web management interface. The function processes multiple user-controlled parameters submitted to configure parental control rules. The urlKeyword field, along with other inputs, is concatenated into a stack-allocated buffer of fixed size. The implementation performs no length validation and uses unsafe string operations to build the destination buffer.
When the combined input length exceeds the buffer capacity, adjacent stack memory is overwritten. This corruption can include saved return addresses and stack frame pointers. The attack requires no authentication or user interaction and originates from the adjacent network, typically the LAN or wireless segment served by the device.
Root Cause
The root cause is missing boundary checking on the urlKeyword parameter and other concatenated fields prior to copying into a fixed-size stack buffer. The function trusts client-supplied input lengths and uses unsafe string concatenation routines. This pattern is a textbook classic buffer overflow [CWE-120] common in embedded MIPS-based router firmware.
Attack Vector
An attacker with access to the adjacent network sends a crafted HTTP request to the setParentalRules endpoint of the router's management interface. The request includes a urlKeyword value sized to overflow the destination buffer. The corrupted stack state causes the HTTP daemon to crash, denying service to all clients. With reliable exploit primitives, an attacker may redirect execution flow to attacker-controlled memory and gain code execution as the web server process, which typically runs with root privileges on consumer routers.
No verified exploit code or vendor patch is publicly available at this time. Technical details are documented in the GitHub PoC Repository.
Detection Methods for CVE-2025-67189
Indicators of Compromise
- Unexpected reboots or crashes of the TOTOLINK A950RG HTTP management daemon
- HTTP POST requests to the setParentalRules endpoint containing abnormally long urlKeyword values
- Loss of router management interface availability following inbound LAN or Wi-Fi traffic to the admin port
Detection Strategies
- Inspect HTTP request logs on the router or upstream network sensors for setParentalRules requests with payload sizes exceeding normal configuration values.
- Deploy network intrusion detection signatures that flag oversized urlKeyword parameters destined for TOTOLINK management interfaces.
- Correlate router uptime resets with preceding inbound HTTP traffic to identify exploitation attempts that cause denial of service.
Monitoring Recommendations
- Forward router syslog output to a centralized logging platform and alert on repeated HTTP daemon restarts.
- Monitor wireless and LAN segments for unauthorized hosts attempting to reach the router management interface.
- Track configuration changes to parental control rules and alert on unexpected modifications.
How to Mitigate CVE-2025-67189
Immediate Actions Required
- Restrict access to the router web management interface to a dedicated management VLAN or trusted administrative hosts only.
- Disable remote management features and ensure the admin interface is not reachable from untrusted wireless networks or guest segments.
- Change default administrator credentials and isolate the affected device pending vendor remediation.
Patch Information
No vendor advisory or firmware patch from TOTOLINK has been published at the time of CVE assignment. Operators of the A950RG running firmware 4.1.2cu.5204_B20210112 should monitor the TOTOLINK support site for firmware updates and apply them once available. Consider replacing end-of-life consumer hardware with actively maintained alternatives if no patch is forthcoming.
Workarounds
- Place the affected router behind a separate firewall that filters traffic destined for the management interface.
- Segment guest Wi-Fi and IoT networks away from the router management VLAN to prevent adjacent network access.
- Disable the parental control feature if it is not in use, reducing exposure of the vulnerable handler.
- Decommission the device in environments where a compensating control cannot be applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

