CVE-2025-9781 is a high-severity buffer overflow vulnerability identified in the TOTOLINK A702R router, specifically affecting firmware version 4.0.0-B20211108.1423. The vulnerability resides in the function sub_4162DC within the /boafrm/formFilter component of the device's firmware. The issue arises from improper handling of the ip6addr argument, which, when manipulated by an attacker, can trigger a buffer overflow condition. This flaw allows an attacker to remotely execute arbitrary code or cause a denial of service without requiring user interaction or prior authentication. The vulnerability has a CVSS 4.0 base score of 8.7, indicating a high level of risk due to its network attack vector, low complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is rated high, meaning successful exploitation could lead to full system compromise, data leakage, or service disruption. Although no public exploits are currently known to be actively used in the wild, the exploit code has been disclosed publicly, increasing the likelihood of future attacks. The vulnerability affects a widely deployed consumer and small office router model, which is often used to provide network connectivity and routing functions, making it a critical target for attackers seeking to infiltrate networks or disrupt services.

For European organizations, this vulnerability poses significant risks, especially for small and medium enterprises (SMEs) and home office environments that commonly deploy TOTOLINK A702R routers due to their cost-effectiveness and ease of use. Exploitation could allow attackers to gain unauthorized remote access to internal networks, intercept or manipulate sensitive data, disrupt network availability, or use compromised devices as footholds for lateral movement within corporate networks. Critical infrastructure sectors relying on these routers for connectivity could face operational disruptions. Additionally, the lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the threat landscape. Given the public disclosure of exploit details, European organizations face an elevated risk of targeted attacks or opportunistic scanning and exploitation campaigns. The potential impact extends to confidentiality breaches, integrity violations, and availability outages, which could lead to regulatory non-compliance under GDPR and other data protection frameworks, financial losses, and reputational damage.

Organizations should immediately verify if TOTOLINK A702R devices running firmware version 4.0.0-B20211108.1423 are in use within their networks. Since no official patch links are currently provided, it is critical to monitor TOTOLINK’s official channels for firmware updates addressing this vulnerability. In the interim, network administrators should implement network segmentation to isolate vulnerable devices from critical assets and restrict inbound traffic to the management interfaces of these routers using firewall rules or access control lists. Disabling remote management features, especially those accessible over IPv6, can reduce exposure. Employing intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts targeting this vulnerability is recommended. Regularly auditing network devices for unauthorized configuration changes and unusual traffic patterns will help detect potential exploitation. Where feasible, replacing vulnerable devices with models confirmed to be patched or not affected by this vulnerability is advisable. Additionally, organizations should educate users about the risks and encourage reporting of network anomalies.