Cyber Resilience

CVE-2022-25075

CriticalPublic PoCRCE

Published: 24 February 2022

Published
24 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4209 97.5th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25075 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3000Ru Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-25075 is a command injection vulnerability (CWE-78) affecting the TOTOLink A3000RU router running firmware version V5.9c.2280_B20180512. The flaw resides in the Main function and permits arbitrary operating-system command execution when attacker-controlled input is processed through the QUERY_STRING parameter.

Unauthenticated attackers with network access can exploit the issue remotely without user interaction. Successful exploitation yields full control over the device, allowing arbitrary command execution that can result in confidentiality, integrity, and availability impacts consistent with the CVSS 9.8 rating.

Public references consist of proof-of-concept details hosted on GitHub; no vendor advisory, firmware patch, or official mitigation guidance is referenced in the supplied information. The EPSS score stands at 0.4209 with an identical recorded peak, indicating sustained exploitation interest but without a documented post-disclosure rise from a low baseline.

EU & UK References

Vulnerability details

TOTOLink A3000RU V5.9c.2280_B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
a3000ru firmware
v5.9c.2280_b20180512

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References