CVE-2022-25132
Published: 19 February 2022
Summary
CVE-2022-25132 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink T6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability tracked as CVE-2022-25132 affects the meshSlaveDlfw function in TOTOLINK T6 V3 routers running firmware version T6_V3_V4.1.5cu.748_B20211015. The flaw, assigned CWE-77, permits unauthenticated attackers to supply a crafted MQTT packet that results in arbitrary command execution on the device. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required privileges or user interaction.
An attacker with network reachability to the router can send a malicious MQTT message that triggers the vulnerable function, achieving full command execution and thereby gaining control over the device. This can lead to confidentiality, integrity, and availability impacts without any prior authentication.
The EPSS score for the CVE remained low after disclosure in February 2022 but rose materially to a peak of 0.0558 on 2025-01-22 before receding to the current value of 0.0446, indicating renewed exploitation interest years after publication. Public references consist primarily of a technical write-up hosted on GitHub and an IBM X-Force entry, neither of which details vendor patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29875
Vulnerability details
A command injection vulnerability in the function meshSlaveDlfw of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.