CVE-2025-2094
Published: 07 March 2025
Summary
CVE-2025-2094 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability exists in the TOTOLINK EX1800T wireless extender running firmware 9.1.0cu.2112_B20220316. The issue is an OS command injection flaw in the setWiFiExtenderConfig function within /cgi-bin/cstecgi.cgi, where unsanitized input to the apcliKey or key parameters allows arbitrary command execution. It is tracked as CVE-2025-2094, assigned CWE-77 and CWE-78, and carries a CVSS 4.0 score of 5.3 reflecting network attack vector and low privileges required.
An authenticated remote attacker can supply crafted values to the affected parameters and execute operating-system commands on the device. Successful exploitation yields limited control over confidentiality, integrity, and availability of the extender without user interaction, and a working proof-of-concept has already been published.
No vendor advisory or patch information is provided in the available references, which include only the public exploit disclosure and the manufacturer’s general site. The EPSS score has remained flat at 0.2497 since disclosure, indicating steady but not sharply increasing exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7493
Vulnerability details
A vulnerability was found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. It has been rated as critical. Affected by this issue is the function setWiFiExtenderConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument apcliKey/key leads to os command injection. The attack may…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing CGI endpoint (setWiFiExtenderConfig) directly enables T1190 via crafted web requests and T1059.004 for arbitrary Unix shell command execution on the router firmware.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by validating and sanitizing the apcliKey/key input to the setWiFiExtenderConfig function in the CGI script.
Remediates the specific command injection vulnerability in the TOTOLINK router firmware through timely flaw identification, reporting, and patching.
Limits the scope and impact of injected OS commands by enforcing least privilege on the low-privilege process handling the vulnerable endpoint.