CVE-2022-25137
Published: 19 February 2022
Summary
CVE-2022-25137 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink T6 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-25137 is a command injection vulnerability (CWE-77) residing in the recvSlaveUpgstatus function of TOTOLINK T6 V3 routers running firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2 routers running V4.1.8cu.5207_B20210320. The flaw permits unauthenticated attackers to supply a crafted MQTT packet that results in arbitrary command execution on the device, reflected in its CVSS 3.1 score of 9.8.
An attacker with network access to the router’s MQTT interface can exploit the issue without credentials or user interaction, achieving full control over the device including the ability to read, modify, or delete data and potentially pivot within the local network.
Public references consist primarily of a technical write-up and proof-of-concept on GitHub together with an IBM X-Force entry; no vendor advisory or firmware patch information is included in the available sources.
The EPSS score rose from a low baseline after the 2022 disclosure to a peak of 0.0558 on 2025-01-22 before receding to the current value of 0.0446, indicating a measurable increase in observed exploitation interest several years after publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29880
Vulnerability details
A command injection vulnerability in the function recvSlaveUpgstatus of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.