Cyber Posture

CVE-2025-11005

CriticalRCE

Published: 25 September 2025

Published
25 September 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0094 76.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11005 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation and sanitization of inputs to neutralize special elements used in OS commands.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in the TOTOLINK X6000R firmware through timely patching as advised by vendors.

SI-9 Information Input Restrictions partial match
prevent

Complements input validation by restricting types and quantities of inputs to block oversized or malformed payloads used in command injection exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

OS Command Injection vulnerability in the TOTOLINK X6000R router enables exploitation of a public-facing web application (T1190) to execute arbitrary commands via the network device CLI or shell (T1059.008).

NVD Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708.

Deeper analysisAI

CVE-2025-11005 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting the TOTOLINK X6000R router. This flaw allows arbitrary OS command execution and impacts all versions through V9.4.0cu.1458_B20250708. The vulnerability received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high impacts.

A remote, unauthenticated attacker with network access to the device can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables the injection and execution of arbitrary operating system commands, potentially granting full control over the router with high consequences for confidentiality, integrity, and availability.

Advisories detailing the issue and mitigation are available from Palo Alto Networks at https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0005/PANW-2025-0005.md and from TOTOLINK at https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html.

Details

CWE(s)
CWE-78

Affected Products

totolink
x6000r firmware
≤ 9.4.0cu.1360_b20241207

CVEs Like This One

CVE-2025-52906Same product: Totolink X6000R
CVE-2025-70328Same product: Totolink X6000R
CVE-2026-4611Same product: Totolink X6000R
CVE-2025-52907Same product: Totolink X6000R
CVE-2025-52053Same product: Totolink X6000R
CVE-2025-25579Same vendor: Totolink
CVE-2024-57017Same vendor: Totolink
CVE-2026-31178Same vendor: Totolink
CVE-2025-51390Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink

References