CVE-2025-60699 is a critical buffer overflow vulnerability found in the TOTOLINK A950RG router firmware version V5.9c.4592_B20191022_ALL. The flaw resides in the global.so binary within the getSaveConfig function, which processes the http_host parameter obtained from user input through the websGetVar function. The vulnerability arises because the http_host parameter is copied into a fixed-size stack buffer (v13) using the unsafe strcpy() function without any bounds checking, leading to a classic stack-based buffer overflow. An unauthenticated attacker can exploit this remotely by sending a specially crafted HTTP request to the router’s web interface, which triggers the overflow and enables arbitrary code execution on the device. This could allow the attacker to gain full control over the router, potentially altering configurations, intercepting or redirecting traffic, or using the device as a foothold for further network attacks. No CVSS score has been assigned yet, and no patches or known exploits are currently documented. The vulnerability’s exploitation requires no authentication or user interaction, increasing its risk profile. The flaw affects the firmware version specified, and it is unknown if other versions are impacted. The vulnerability is significant because routers are critical network infrastructure components, and compromise can lead to widespread network disruption and data breaches.

For European organizations, exploitation of this vulnerability could result in severe consequences including loss of network availability, interception or manipulation of sensitive data, and unauthorized access to internal networks. Compromised routers can be used to launch further attacks such as man-in-the-middle, DNS hijacking, or lateral movement within corporate networks. Critical infrastructure sectors relying on TOTOLINK A950RG routers could face operational disruptions. The unauthenticated nature of the exploit means attackers can target devices exposed to the internet without needing credentials, increasing the attack surface. Small and medium enterprises using these routers without robust network segmentation or monitoring are particularly vulnerable. The potential for arbitrary code execution elevates the risk of persistent backdoors or botnet recruitment, impacting confidentiality, integrity, and availability of organizational assets.

Immediate mitigation involves isolating affected TOTOLINK A950RG routers from untrusted networks and restricting access to the web management interface via firewall rules or network segmentation. Organizations should monitor network traffic for unusual HTTP requests targeting router interfaces. Since no official patches are currently available, users should contact TOTOLINK support for firmware updates or advisories. Employing network intrusion detection/prevention systems (IDS/IPS) with signatures to detect exploitation attempts can help. As a longer-term measure, organizations should consider replacing vulnerable routers with devices from vendors with strong security track records and timely patching practices. Regularly auditing network devices for outdated firmware and disabling remote management interfaces where not necessary will reduce exposure. Implementing strict access controls and multi-factor authentication on network devices can limit the impact of potential exploits.