CVE-2025-14586
Published: 13 December 2025
Summary
CVE-2025-14586 is a low-severity Command Injection (CWE-77) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability was identified in the TOTOLINK X5000R router running firmware version 9.1.0cu.2089_B20211224. The issue resides in the snprintf function of /cgi-bin/cstecgi.cgi when processing the exportOvpn action with a user-supplied argument, allowing OS command injection via manipulation of the User parameter. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 2.1.
An authenticated remote attacker can send a crafted HTTP request to the affected CGI endpoint and inject arbitrary operating-system commands. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the device, with the public exploit code demonstrating remote reachability without user interaction.
The EPSS score has risen from a low baseline to a recorded peak of 0.0192, indicating growing exploitation interest after disclosure. Public proof-of-concept material is available, and the vendor site is listed among references, though no specific patch or mitigation guidance is detailed in the available advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-203237
Vulnerability details
A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has…
more
been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing CGI vulnerability enables remote exploitation (T1190). Allows OS command injection via snprintf/system() on embedded Linux router, facilitating Unix Shell execution (T1059.004) and indirect command execution (T1202) as noted in advisories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the OS command injection flaw in the snprintf function of cstecgi.cgi by requiring timely patching of the TOTOLINK firmware.
Validates and sanitizes the User argument to the exportOvpn endpoint, preventing malicious input from triggering command injection.
Enforces least privilege on the CGI process handling user input, limiting the impact and scope of any successful command injection.