PT-2026-21743 · Totolink+1 · Totolink X5000R+1

Published

2025-12-18

Updated

2026-03-01

CVE-2025-67445

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions TOTOLINK X5000R version 9.1.0cu.2415 B20250515

Description The software contains a denial-of-service issue in the /cgi-bin/cstecgi.cgi component. The component reads the CONTENT LENGTH environment variable and allocates memory using malloc with insufficient bounds checking. A crafted, large POST request, when the lighttpd request size limit is not enforced, can lead to memory exhaustion or a segmentation fault, resulting in a crash of the management CGI and loss of web interface availability.

Recommendations Apply a fix that enforces bounds checking on the CONTENT LENGTH environment variable when allocating memory within the /cgi-bin/cstecgi.cgi component.

Exploit

Fix

DoS

Buffer Overflow

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-119CWE-400

Related Identifiers

BDU:2026-04457

CVE-2025-67445

Affected Products

Totolink X5000R

Lighttpd

PT-2026-21743 · Totolink+1 · Totolink X5000R+1

CVE-2025-67445

Weakness Enumeration

Related Identifiers

Affected Products

References · 9