Sign-up

ID

VAR-202510-2269


CVE

CVE-2025-12259


TITLE

TOTOLINK A3300R setScheduleCfg function stack buffer overflow vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-27575

DESCRIPTION

A flaw has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. This manipulation of the argument recHour causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The TOTOLINK A3300R is a dual-band wireless router manufactured by TOTOLINK Electronics Co., Ltd. in China, primarily used in home and small network environments. Attackers can exploit this vulnerability to execute arbitrary code on the system or cause a denial-of-service attack

Trust: 1.44

sources: NVD: CVE-2025-12259 // CNVD: CNVD-2025-27575

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-27575

AFFECTED PRODUCTS

vendor:totolinkmodel:a3300rscope:eqversion:17.0.0cu.557_b20221024

Trust: 1.0

vendor:totolinkmodel:a3300r 17.0.0cu.557 b20221024scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-27575 // NVD: CVE-2025-12259

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2025-12259
value: HIGH

Trust: 1.0

CNVD: CNVD-2025-27575
value: HIGH

Trust: 0.6

cna@vuldb.com: CVE-2025-12259
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2025-27575
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2025-12259
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2025-27575 // NVD: CVE-2025-12259

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.0

problemtype:CWE-121

Trust: 1.0

sources: NVD: CVE-2025-12259

PATCH

title:Patch for TOTOLINK A3300R setScheduleCfg function stack buffer overflow vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/752101

Trust: 0.6

sources: CNVD: CNVD-2025-27575

EXTERNAL IDS

db:NVDid:CVE-2025-12259

Trust: 1.6

db:VULDBid:329930

Trust: 1.0

db:CNVDid:CNVD-2025-27575

Trust: 0.6

sources: CNVD: CNVD-2025-27575 // NVD: CVE-2025-12259

REFERENCES

url:https://github.com/noahze01/iot-vulnerable/blob/main/totolink/a3300r/setschedulecfg.md

Trust: 1.6

url:https://vuldb.com/?ctiid.329930

Trust: 1.0

url:https://www.totolink.net/

Trust: 1.0

url:https://vuldb.com/?submit.673726

Trust: 1.0

url:https://vuldb.com/?id.329930

Trust: 1.0

sources: CNVD: CNVD-2025-27575 // NVD: CVE-2025-12259

SOURCES

db:CNVDid:CNVD-2025-27575
db:NVDid:CVE-2025-12259

LAST UPDATE DATE

2025-11-19T23:14:42.666000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-27575date:2025-11-11T00:00:00
db:NVDid:CVE-2025-12259date:2025-10-28T02:10:25.910

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-27575date:2025-11-10T00:00:00
db:NVDid:CVE-2025-12259date:2025-10-27T10:15:38.610