CVE-2022-25134
Published: 19 February 2022
Summary
CVE-2022-25134 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink T6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability tracked as CVE-2022-25134 affects the setUpgradeFW function in TOTOLINK T6 V3 routers running firmware version T6_V3_V4.1.5cu.748_B20211015. The flaw, assigned CWE-77, permits arbitrary command execution when the device processes a specially crafted MQTT packet. It received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated attacker with network access to the router can send a malicious MQTT message that triggers the vulnerable function, resulting in full control over the device including the ability to read, modify, or delete data and disrupt availability. The attack requires only that the router be reachable and listening for MQTT traffic.
Public references consist primarily of a technical write-up and proof-of-concept on GitHub along with an IBM X-Force entry; none of the listed sources describe vendor patches, firmware updates, or specific mitigation steps. The associated EPSS score has remained low, reaching a peak of 0.0558 in January 2025 before receding to 0.0446, indicating limited observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29877
Vulnerability details
A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.