CVE-2025-11005
Published: 25 September 2025
Summary
CVE-2025-11005 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-11005 is an OS command injection vulnerability (CWE-78) affecting the TOTOLINK X6000R router. It stems from improper neutralization of special elements in OS commands and impacts all versions through firmware V9.4.0cu.1458_B20250708. The flaw carries a CVSS 4.0 score of 9.3, reflecting network-accessible attack vectors with no required authentication or user interaction.
An unauthenticated remote attacker can supply crafted input that results in arbitrary operating-system command execution on the device. Successful exploitation grants the ability to read or modify sensitive data, disrupt device operation, and potentially leverage the router as a pivot point into attached networks, consistent with the high confidentiality, integrity, and availability impacts described in the CVSS vector.
The referenced Palo Alto Networks disclosure and TOTOLINK firmware page indicate that updated firmware is the primary remediation path; administrators should obtain the latest release from the vendor. The associated EPSS score rose from a low baseline to a peak of 0.0321 on 2026-02-03 before receding to the current value of 0.0089, indicating a period of increased exploitation interest following public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31165
Vulnerability details
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS Command Injection vulnerability in the TOTOLINK X6000R router enables exploitation of a public-facing web application (T1190) to execute arbitrary commands via the network device CLI or shell (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation and sanitization of inputs to neutralize special elements used in OS commands.
Remediates the specific flaw in the TOTOLINK X6000R firmware through timely patching as advised by vendors.
Complements input validation by restricting types and quantities of inputs to block oversized or malformed payloads used in command injection exploits.