Cyber Resilience

CVE-2022-25131

CriticalRCE

Published: 19 February 2022

Published
19 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0446 89.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25131 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink T6 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A command injection vulnerability exists in the recvSlaveCloudCheckStatus function of certain TOTOLINK routers, specifically T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320. The flaw, tracked as CVE-2022-25131 and assigned CWE-77, permits unauthenticated attackers to inject and execute arbitrary operating system commands by sending a specially crafted MQTT packet. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network access to the router’s MQTT interface can exploit the issue to run commands with the privileges of the affected process, potentially leading to full device compromise including configuration changes, credential theft, or use as a pivot point within a target network.

Public references consist of a technical write-up on GitHub and an IBM X-Force entry; neither source describes vendor patches, firmware updates, or other mitigation steps.

EPSS for the CVE reached a peak of 0.0558 on 2025-01-22 before receding to the current value of 0.0446, indicating a modest post-disclosure increase in predicted exploitation interest.

EU & UK References

Vulnerability details

A command injection vulnerability in the function recvSlaveCloudCheckStatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
t6 firmware
v4.1.5cu.748_b20211015
totolink
t10 firmware
v4.1.8cu.5207_b20210320

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References