Local Stack-Based Buffer Overflow in ToToLink Routers
CVE-2025-60686

5.1MEDIUM

Key Information:

Vendor: ToToLink
Status: ToToLink routers
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-60686?

A local stack-based buffer overflow vulnerability exists in the infostat.cgi and cstecgi.cgi binaries of ToToLink routers. The vulnerability arises from the way these programs handle the contents of /proc/net/arp, utilizing sscanf() with '%s' format specifiers that write to fixed-size stack buffers without adequate length validation. This oversight allows an attacker with control over /proc/net/arp to overwrite buffers, resulting in memory corruption that can lead to a denial of service or potential arbitrary code execution.

References

http://totolink.com

https://www.totolink.net/

https://github.com/yifan20020708/SGTaint-0-day/blob/main/...

CVSS V3.1

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Sep 26, 2025

JSON