CVE-2022-25075
Published: 24 February 2022
Summary
CVE-2022-25075 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3000Ru Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-25075 is a command injection vulnerability (CWE-78) affecting the TOTOLink A3000RU router running firmware version V5.9c.2280_B20180512. The flaw resides in the Main function and permits arbitrary operating-system command execution when attacker-controlled input is processed through the QUERY_STRING parameter.
Unauthenticated attackers with network access can exploit the issue remotely without user interaction. Successful exploitation yields full control over the device, allowing arbitrary command execution that can result in confidentiality, integrity, and availability impacts consistent with the CVSS 9.8 rating.
Public references consist of proof-of-concept details hosted on GitHub; no vendor advisory, firmware patch, or official mitigation guidance is referenced in the supplied information. The EPSS score stands at 0.4209 with an identical recorded peak, indicating sustained exploitation interest but without a documented post-disclosure rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29819
Vulnerability details
TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.