CVE-2025-3991 is a critical buffer overflow vulnerability identified in the TOTOLINK N150RT wireless router, specifically version 3.4.0-B20190525. The flaw exists in the handling of the /boafrm/formWdsEncrypt endpoint, where improper validation of the 'submit-url' argument allows an attacker to overflow a buffer. This vulnerability can be exploited remotely without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The buffer overflow can lead to arbitrary code execution, potentially allowing an attacker to take full control of the affected device. The vulnerability impacts confidentiality, integrity, and availability (VC:H/VI:H/VA:H), making it highly severe. Although no public exploit has been confirmed in the wild yet, the exploit code has been disclosed publicly, increasing the risk of imminent attacks. The TOTOLINK N150RT is a consumer-grade router commonly used in small offices and home environments, which may also be deployed in small business settings. The vulnerability’s remote exploitability and high impact make it a significant threat to network security, as compromised routers can be used as pivot points for further attacks, including interception of network traffic, launching of distributed denial-of-service (DDoS) attacks, or establishing persistent backdoors within organizational networks.

For European organizations, this vulnerability poses a substantial risk, especially for small and medium enterprises (SMEs) and home office setups that rely on TOTOLINK N150RT routers. Compromise of these devices can lead to unauthorized access to internal networks, data exfiltration, and disruption of business operations. Given the router’s role as a network gateway, attackers could intercept sensitive communications or manipulate traffic, undermining confidentiality and integrity. Additionally, the availability of network services could be disrupted by denial-of-service conditions or device crashes triggered by exploitation attempts. The public disclosure of exploit code increases the likelihood of opportunistic attacks, including automated scanning and exploitation campaigns targeting vulnerable devices across Europe. This risk is amplified in sectors with less mature cybersecurity postures or limited IT support, such as small businesses and remote workers. Furthermore, compromised routers could be leveraged as part of larger botnets, impacting broader internet infrastructure and critical services within Europe.

1. Immediate firmware update: Organizations should verify if TOTOLINK has released a patched firmware version for the N150RT model and apply it promptly. If no official patch is available, consider temporarily disabling remote management features or restricting access to the router’s web interface to trusted IP addresses only. 2. Network segmentation: Isolate vulnerable routers from critical internal networks to limit potential lateral movement in case of compromise. 3. Monitoring and detection: Implement network monitoring to detect unusual traffic patterns or unauthorized access attempts targeting the /boafrm/formWdsEncrypt endpoint. 4. Replace legacy devices: Evaluate the use of TOTOLINK N150RT routers and consider replacing them with devices from vendors with stronger security track records and active support. 5. Incident response readiness: Prepare for potential exploitation by ensuring backup configurations and recovery procedures are in place to quickly restore network functionality if a device is compromised. 6. User awareness: Educate users about the risks of using outdated or unsupported network equipment and encourage reporting of any unusual device behavior.