Buffer Overflow Vulnerability in TOTOLINK A950RG Router Firmware
CVE-2025-60699

6.5MEDIUM

Key Information:

Vendor: TOTOLINK
Status: A950RG Router
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-60699?

A buffer overflow vulnerability exists in the firmware of the TOTOLINK A950RG Router, specifically within the global.so binary. The flaw is located in the getSaveConfig function, which retrieves the http_host parameter from user input via websGetVar. This parameter is then copied to a fixed-size stack buffer (v13) using strcpy() without any length validation. Due to this oversight, an unauthenticated remote attacker could exploit the vulnerability by sending specially crafted HTTP requests to the router's web interface, potentially resulting in arbitrary code execution on the device.

References

https://www.totolink.net/

https://github.com/yifan20020708/SGTaint-0-day/blob/main/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Sep 26, 2025

JSON