CVE-2022-25133
Published: 19 February 2022
Summary
CVE-2022-25133 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink T6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability tracked as CVE-2022-25133 affects the isAssocPriDevice function in TOTOLINK T6 routers running firmware version T6_V3_V4.1.5cu.748_B20211015. The flaw, assigned CWE-77, permits arbitrary operating-system commands to be executed when the device processes a specially crafted MQTT packet. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low attack complexity, and no required authentication or user interaction.
Unauthenticated remote attackers can therefore send malicious MQTT messages to the router and obtain arbitrary command execution, resulting in full compromise of the device confidentiality, integrity, and availability. The supplied references consist of a proof-of-concept description hosted on GitHub and an IBM X-Force vulnerability entry; neither source provides mitigation steps, firmware updates, or configuration guidance.
The associated EPSS score remains low, reaching a modest peak of 0.0558 in January 2025 before receding to its current value of 0.0446. No information is available on observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29876
Vulnerability details
A command injection vulnerability in the function isAssocPriDevice of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.