Skip to main content
CVE Vulnerability Database

CVE-2025-9779: Totolink A702r Buffer Overflow Vulnerability

CVE-2025-9779 is a buffer overflow vulnerability in Totolink A702r Firmware affecting the formFilter function. Attackers can exploit this remotely to compromise the device. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-9779 Overview

CVE-2025-9779 is a buffer overflow vulnerability in the TOTOLINK A702R router running firmware version 4.0.0-B20211108.1423. The flaw resides in the sub_4162DC function within the /boafrm/formFilter endpoint of the device's web management interface. Attackers manipulate the ip6addr argument to overflow the destination buffer, corrupting adjacent memory on the device.

The vulnerability is remotely exploitable across the network and requires only low-privilege access. Public exploit details have been published, increasing the likelihood of opportunistic attacks against exposed devices.

Critical Impact

Successful exploitation can lead to memory corruption on the router, potentially enabling arbitrary code execution, persistent device compromise, or full denial of service against the affected TOTOLINK A702R hardware.

Affected Products

  • TOTOLINK A702R router (hardware)
  • TOTOLINK A702R firmware version 4.0.0-B20211108.1423
  • Deployments exposing the /boafrm/formFilter web interface to untrusted networks

Discovery Timeline

  • 2025-09-01 - CVE-2025-9779 published to NVD
  • 2025-09-04 - Last updated in NVD database

Technical Details for CVE-2025-9779

Vulnerability Analysis

The vulnerability is a classic buffer overflow [CWE-119] in the embedded web server of the TOTOLINK A702R. The vulnerable handler sub_4162DC processes HTTP POST requests sent to /boafrm/formFilter, which is used to configure IPv4 and IPv6 packet filtering rules on the router.

When the handler parses the ip6addr parameter, it copies user-supplied input into a fixed-size stack buffer without enforcing length checks. Oversized values overrun the buffer and overwrite adjacent stack data, including the saved return address used when the function unwinds.

An attacker with access to the management interface can deliver a crafted request to trigger the overflow. The result is memory corruption that can crash the boa HTTP daemon or be developed into reliable code execution on the MIPS-based device.

Root Cause

The root cause is missing input validation on the ip6addr form field. The firmware lacks a bounds check before performing the string copy into the destination buffer, a recurring pattern in TOTOLINK consumer-grade router firmware.

Attack Vector

Exploitation is performed over the network against the router's HTTP management service. The attacker must hold a low-privilege session on the device. A single oversized POST parameter is sufficient to corrupt memory, and no user interaction is required.

The vulnerability mechanism is documented in the GitHub PoC Repository and tracked in VulDB #322081. No verified exploit code is reproduced here.

Detection Methods for CVE-2025-9779

Indicators of Compromise

  • HTTP POST requests to /boafrm/formFilter containing abnormally long ip6addr parameter values
  • Unexpected restarts or crash logs from the boa web server process on the router
  • Configuration changes to IPv6 filter rules that were not initiated by an administrator
  • Outbound connections from the router to unknown hosts following management-plane access

Detection Strategies

  • Inspect web access logs on the router or upstream proxy for formFilter requests with ip6addr payloads exceeding expected IPv6 address length
  • Deploy network IDS signatures that match oversized form fields posted to TOTOLINK management endpoints
  • Correlate authentication events on the router with subsequent administrative form submissions to identify low-privileged abuse

Monitoring Recommendations

  • Restrict and monitor all HTTP/HTTPS traffic to router management interfaces from non-administrative VLANs
  • Forward router syslog data to a central log platform and alert on repeated boa daemon restarts
  • Track firmware versions across the fleet and flag devices still running 4.0.0-B20211108.1423

How to Mitigate CVE-2025-9779

Immediate Actions Required

  • Remove the TOTOLINK A702R management interface from any WAN-facing exposure and restrict it to a dedicated management network
  • Rotate all router administrative credentials, since the attack requires only low-privilege access
  • Audit IPv6 filter and firewall rule sets for unauthorized modifications

Patch Information

At the time of NVD publication, no vendor-supplied firmware patch addressing CVE-2025-9779 is referenced in the advisory. Monitor the TOTOLink Official Website for firmware updates and apply them as soon as they are released for the A702R platform.

Workarounds

  • Disable remote management on the WAN interface and limit LAN-side access to known administrative IP addresses
  • Place vulnerable devices behind an upstream firewall that drops external requests to /boafrm/formFilter
  • Replace end-of-support TOTOLINK A702R units with currently maintained hardware where a vendor patch is not forthcoming
bash
# Example upstream ACL restricting access to the router admin interface
# Replace 192.0.2.10 with your administrator workstation address
iptables -A FORWARD -p tcp -d <router-ip> --dport 80  -s 192.0.2.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <router-ip> --dport 80  -j DROP
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.