Cyber Resilience

CVE-2025-1829

MediumPublic PoC

Published: 02 March 2025

Published
02 March 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0082 74.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1829 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability identified as CVE-2025-1829 affects the TOTOLINK X18 device running firmware version 9.1.0cu.2024_B20220329. It resides in the setMtknatCfg function of /cgi-bin/cstecgi.cgi, where improper handling of the mtkhnatEnable argument permits OS command injection. The issue is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3, reflecting network-accessible attack vectors that require low privileges.

An authenticated remote attacker can supply crafted input to the affected parameter and execute arbitrary operating-system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the target system. Publicly available exploit code has been released, enabling potential reuse by threat actors.

No vendor patch or mitigation guidance has been issued, as TOTOLINK did not respond to early disclosure notification. The associated EPSS score rose from a low baseline to a peak of 0.0342 before receding to its current value of 0.0082, indicating a period of increased exploitation interest after the vulnerability became public.

EU & UK References

Vulnerability details

A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been declared as critical. This vulnerability affects the function setMtknatCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument mtkhnatEnable leads to os command injection. The attack can be initiated…

more

remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote OS command injection vulnerability in public-facing CGI script (/cgi-bin/cstecgi.cgi) enables exploitation of public-facing applications (T1190) and direct execution of arbitrary Unix shell commands via unsanitized 'mtkhnatEnable' parameter passed to dosystem() (T1059.004).

CVEs Like This One

CVE-2025-1339Same product: Totolink X18
CVE-2025-61045Same product: Totolink X18
CVE-2025-61044Same product: Totolink X18
CVE-2025-1340Same product: Totolink X18
CVE-2026-3301Same vendor: Totolink
CVE-2025-2094Same vendor: Totolink
CVE-2025-2096Same vendor: Totolink
CVE-2026-4611Same vendor: Totolink
CVE-2025-14586Same vendor: Totolink
CVE-2026-5101Same vendor: Totolink

Affected Assets

totolink
x18 firmware
9.1.0cu.2024_b20220329

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of the mtkhnatEnable parameter in the vulnerable setMtknatCfg function of cstecgi.cgi.

prevent

Mitigates the vulnerability by mandating timely flaw remediation, including patching the command injection issue in the router firmware despite vendor inaction.

prevent

Limits damage from successful command injection by enforcing least privilege on processes handling the vulnerable CGI script, reducing impact of executed commands.

References