CVE-2025-1829
Published: 02 March 2025
Summary
CVE-2025-1829 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability identified as CVE-2025-1829 affects the TOTOLINK X18 device running firmware version 9.1.0cu.2024_B20220329. It resides in the setMtknatCfg function of /cgi-bin/cstecgi.cgi, where improper handling of the mtkhnatEnable argument permits OS command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3, reflecting network-accessible attack vectors that require low privileges.
An authenticated remote attacker can supply crafted input to the affected parameter and execute arbitrary operating-system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the target system. Publicly available exploit code has been released, enabling potential reuse by threat actors.
No vendor patch or mitigation guidance has been issued, as TOTOLINK did not respond to early disclosure notification. The associated EPSS score rose from a low baseline to a peak of 0.0342 before receding to its current value of 0.0082, indicating a period of increased exploitation interest after the vulnerability became public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5854
Vulnerability details
A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been declared as critical. This vulnerability affects the function setMtknatCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument mtkhnatEnable leads to os command injection. The attack can be initiated…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote OS command injection vulnerability in public-facing CGI script (/cgi-bin/cstecgi.cgi) enables exploitation of public-facing applications (T1190) and direct execution of arbitrary Unix shell commands via unsanitized 'mtkhnatEnable' parameter passed to dosystem() (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation of the mtkhnatEnable parameter in the vulnerable setMtknatCfg function of cstecgi.cgi.
Mitigates the vulnerability by mandating timely flaw remediation, including patching the command injection issue in the router firmware despite vendor inaction.
Limits damage from successful command injection by enforcing least privilege on processes handling the vulnerable CGI script, reducing impact of executed commands.