CVE-2025-60686 is a stack-based buffer overflow vulnerability found in two CGI binaries—infostat.cgi and cstecgi.cgi—on certain ToToLink router models (A720R V4.1.5cu.614_B20230630, LR1200GB V9.1.0u.6619_B20230130, NR1800X V9.1.0u.6681_B20230703). Both binaries parse the contents of the /proc/net/arp file using the unsafe sscanf() function with "%s" format specifiers, which do not enforce length limits on input strings. Specifically, one vulnerable function writes user-controlled data into a single-byte buffer, while the other writes into adjacent small arrays on the stack without bounds checking. Because the /proc/net/arp file reflects the system's ARP table, an attacker who can manipulate its contents—either by local access or through other means—can trigger a buffer overflow. This memory corruption can lead to denial of service (crashes) or potentially arbitrary code execution with the privileges of the affected process. The vulnerability is local in nature, requiring the attacker to influence the ARP table or have local system access. No patches or fixes are currently linked, and no public exploits have been reported. The lack of a CVSS score suggests the vulnerability is newly disclosed. The affected router models are used in various environments, including small to medium enterprises and possibly home offices, which may expose European organizations relying on these devices to risk.

For European organizations, exploitation of CVE-2025-60686 could result in significant operational disruption due to denial of service or compromise of network infrastructure devices. Successful arbitrary code execution on routers could allow attackers to intercept, modify, or redirect network traffic, undermining confidentiality and integrity of communications. This is particularly critical for organizations relying on these routers for perimeter security or internal segmentation. The local nature of the exploit limits remote attack vectors; however, attackers who gain initial footholds or insider access could leverage this vulnerability to escalate privileges or establish persistent control over network devices. Given the widespread use of ToToLink routers in certain European markets, especially in small and medium-sized enterprises, the threat could impact business continuity and data protection compliance. Additionally, compromised routers could serve as pivot points for broader network intrusions or as part of botnets, amplifying the threat landscape.

Organizations should immediately inventory their network infrastructure to identify the presence of affected ToToLink router models and firmware versions. Since no official patches are currently available, administrators should consider the following mitigations: restrict local access to router management interfaces and ARP table modification capabilities; implement strict network segmentation to limit exposure of routers to untrusted users; monitor ARP table changes and unusual network behavior indicative of manipulation; disable or restrict the use of vulnerable CGI binaries if possible; apply firmware updates promptly once vendors release patches; and consider replacing affected devices with alternative models if mitigation is not feasible. Additionally, employing network intrusion detection systems (NIDS) to detect anomalous ARP activity and buffer overflow attempts can provide early warning. Regular security audits and adherence to the principle of least privilege for network device management will reduce exploitation risk.