Cyber Resilience

CVE-2025-14586

LowPublic PoC

Published: 13 December 2025

Published
13 December 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0094 76.6th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14586 is a low-severity Command Injection (CWE-77) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability was identified in the TOTOLINK X5000R router running firmware version 9.1.0cu.2089_B20211224. The issue resides in the snprintf function of /cgi-bin/cstecgi.cgi when processing the exportOvpn action with a user-supplied argument, allowing OS command injection via manipulation of the User parameter. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1.

An authenticated remote attacker can send a crafted HTTP request to the affected CGI endpoint and inject arbitrary operating-system commands. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the device, with the public exploit code demonstrating remote reachability without user interaction.

The EPSS score has risen from a low baseline to a recorded peak of 0.0192, indicating growing exploitation interest after disclosure. Public proof-of-concept material is available, and the vendor site is listed among references, though no specific patch or mitigation guidance is detailed in the available advisories.

EU & UK References

Vulnerability details

A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has…

more

been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Public-facing CGI vulnerability enables remote exploitation (T1190). Allows OS command injection via snprintf/system() on embedded Linux router, facilitating Unix Shell execution (T1059.004) and indirect command execution (T1202) as noted in advisories.

CVEs Like This One

CVE-2025-9934Same product: Totolink X5000R
CVE-2024-57016Same product: Totolink X5000R
CVE-2024-57012Same product: Totolink X5000R
CVE-2024-57018Same product: Totolink X5000R
CVE-2024-57021Same product: Totolink X5000R
CVE-2024-57015Same product: Totolink X5000R
CVE-2024-57013Same product: Totolink X5000R
CVE-2024-57022Same product: Totolink X5000R
CVE-2024-57020Same product: Totolink X5000R
CVE-2024-57014Same product: Totolink X5000R

Affected Assets

totolink
x5000r firmware
9.1.0cu.2089_b20211224

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the OS command injection flaw in the snprintf function of cstecgi.cgi by requiring timely patching of the TOTOLINK firmware.

prevent

Validates and sanitizes the User argument to the exportOvpn endpoint, preventing malicious input from triggering command injection.

prevent

Enforces least privilege on the CGI process handling user input, limiting the impact and scope of any successful command injection.

References