CVE-2025-7077

Name of the Vulnerable Software and Affected Versions: Shenzhen Libituo Technology LBT-T300-T310 versions up to 2.2.3.6

Description: A critical vulnerability has been found in the affected software. This issue affects the config 3g para function of the file /appy.cgi. The manipulation of the username 3g and password 3g arguments leads to a buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

Recommendations: For Shenzhen Libituo Technology LBT-T300-T310 versions up to 2.2.3.6, consider disabling the config 3g para function of the file /appy.cgi to prevent exploitation until a patch is available. Restrict access to the username 3g and password 3g parameters in the affected API endpoint to minimize the risk of exploitation. Avoid using the username 3g and password 3g parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.