CVE-2025-14586
Published: 13 December 2025
Summary
CVE-2025-14586 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection flaw in the snprintf function of cstecgi.cgi by requiring timely patching of the TOTOLINK firmware.
Validates and sanitizes the User argument to the exportOvpn endpoint, preventing malicious input from triggering command injection.
Enforces least privilege on the CGI process handling user input, limiting the impact and scope of any successful command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing CGI vulnerability enables remote exploitation (T1190). Allows OS command injection via snprintf/system() on embedded Linux router, facilitating Unix Shell execution (T1059.004) and indirect command execution (T1202) as noted in advisories.
NVD Description
A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has…
more
been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2025-14586 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the TOTOLINK X5000R router on firmware version 9.1.0cu.2089_B20211224. The flaw exists in the snprintf function of the /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user endpoint, where manipulation of the "User" argument triggers command injection.
Remote exploitation is possible by attackers with low privileges over the network (AV:N/AC:L/PR:L/UI:N), requiring no user interaction and maintaining unchanged scope. Successful attacks yield low impacts on confidentiality, integrity, and availability (CVSS 6.3), allowing arbitrary OS command execution.
VulDB advisories detail the issue and reference a publicly disclosed proof-of-concept exploit on GitHub. The vendor's site at totolink.net is listed, but no specific patches or mitigations are outlined in the provided references.
The exploit has been publicly disclosed and may be utilized, heightening the risk of real-world attacks on unpatched devices.
Details
- CWE(s)