CVE-2025-7837: Critical Buffer Overflow Vulnerability in TOTOLINK T6 Router

A critical vulnerability has been discovered in TOTOLINK T6 routers, potentially allowing remote attackers to gain complete control of the device. This flaw, identified as CVE-2025-7837, is a buffer overflow in the MQTT service and should be addressed immediately.

🔍 TL;DR Summary

TOTOLINK T6 routers running firmware version 4.1.5cu.748_B20211015 are vulnerable to a buffer overflow in the MQTT service. An attacker with low privileges on the network can exploit this vulnerability to execute arbitrary code on the router.

🚨 Vulnerability Details

• CVE ID: CVE-2025-7837
• Description: A buffer overflow vulnerability exists in the recvSlaveStaInfo function of the MQTT service in TOTOLINK T6 firmware 4.1.5cu.748_B20211015. By sending a specially crafted MQTT message, an attacker can overwrite the buffer pointed to by the dest argument, leading to arbitrary code execution.
• CVSS Score and Vector:
  • CVSS 3.1: 8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVSS 4.0: 7.4 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

  Explanation: The CVSS score indicates a high severity vulnerability. An attacker on the network can exploit this without user interaction, even with low privileges, gaining full control of the router (confidentiality, integrity, and availability impacts are all high).

• Exploit Requirements: An attacker needs network access to the router and low-level privileges. A proof-of-concept exploit is publicly available.
• Affected Vendor, Product, Version: TOTOLINK T6, firmware version 4.1.5cu.748_B20211015
• CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Explanation: This CWE refers to a programming error where data is copied into a buffer without validating the size of the input, potentially overwriting adjacent memory and leading to unexpected behavior or code execution.

📅 Timeline of Events

• 2025-07-19: Vulnerability reported to VulDB.
• 2025-07-19: CVE-2025-7837 assigned.
• 2025-07-19: Public disclosure of exploit.

🧠 Exploitability & Real-World Risk

The availability of a public proof-of-concept exploit significantly increases the risk of this vulnerability being exploited in the wild. Routers are often targeted by botnets and other malicious actors, making this a high-priority vulnerability to address. Successful exploitation could allow attackers to intercept network traffic, inject malware, or use the router as a pivot point to attack other devices on the network.

🛠️ Recommendations

• Apply the Patch: Check the TOTOLINK website for firmware updates and apply the latest patch immediately.
• Disable MQTT Service: If the MQTT service is not required, disable it in the router's configuration.
• Restrict Network Access: Limit access to the router's management interface to trusted networks only.
• Monitor Network Traffic: Implement network monitoring tools to detect suspicious activity and potential exploitation attempts.

🧪 Technical Insight

The vulnerability lies in the recvSlaveStaInfo function. When processing an MQTT message, the function copies data into a buffer without proper bounds checking. By crafting a malicious MQTT message with a payload larger than the buffer, an attacker can overwrite adjacent memory regions, including the return address, allowing them to control the program's execution flow.

🙌 Credit to Researcher(s)

This vulnerability was identified by AnduinBrian.

🔗 References

• https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/4.md
• https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/4.md#poc
• https://vuldb.com/?ctiid.316940
• https://vuldb.com/?id.316940
• https://www.totolink.net/

🧵 Tags

#CVE-2025-7837 #TOTOLINK #BufferOverflow #RCE #MQTT #Router #IoTSecurity

Summary: A critical buffer overflow vulnerability (CVE-2025-7837) has been discovered in TOTOLINK T6 routers, firmware version 4.1.5cu.748_B20211015. An attacker with low privileges can exploit this via a malicious MQTT message to achieve remote code execution, potentially gaining full control of the device. A patch or workaround is highly recommended.

CVE ID: CVE-2025-7837

Risk Analysis: Successful exploitation could allow an attacker to gain complete control of the router, intercept network traffic, inject malware, or use the router as a pivot point to attack other devices on the network. This poses a significant risk to the confidentiality, integrity, and availability of the network and connected devices.

Recommendation: Apply the latest firmware patch from TOTOLINK. If a patch is not available, disable the MQTT service in the router's configuration. Restrict access to the router's management interface to trusted networks only. Implement network monitoring to detect suspicious activity.

Timeline

• 2025-07-19: Vulnerability reported to VulDB and CVE assigned.
• 2025-07-19: Public disclosure of exploit.

References

• https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/4.md
• https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/4.md#poc
• https://vuldb.com/?ctiid.316940
• https://vuldb.com/?id.316940
• https://www.totolink.net/