Cyber Resilience

CVE-2025-2094

MediumPublic PoC

Published: 07 March 2025

Published
07 March 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2497 96.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2094 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability exists in the TOTOLINK EX1800T wireless extender running firmware 9.1.0cu.2112_B20220316. The issue is an OS command injection flaw in the setWiFiExtenderConfig function within /cgi-bin/cstecgi.cgi, where unsanitized input to the apcliKey or key parameters allows arbitrary command execution. It is tracked as CVE-2025-2094, assigned CWE-77 and CWE-78, and carries a CVSS 4.0 score of 5.3 reflecting network attack vector and low privileges required.

An authenticated remote attacker can supply crafted values to the affected parameters and execute operating-system commands on the device. Successful exploitation yields limited control over confidentiality, integrity, and availability of the extender without user interaction, and a working proof-of-concept has already been published.

No vendor advisory or patch information is provided in the available references, which include only the public exploit disclosure and the manufacturer’s general site. The EPSS score has remained flat at 0.2497 since disclosure, indicating steady but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

A vulnerability was found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. It has been rated as critical. Affected by this issue is the function setWiFiExtenderConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument apcliKey/key leads to os command injection. The attack may…

more

be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing CGI endpoint (setWiFiExtenderConfig) directly enables T1190 via crafted web requests and T1059.004 for arbitrary Unix shell command execution on the router firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2096Same product: Totolink Ex1800T
CVE-2025-2095Same product: Totolink Ex1800T
CVE-2025-1852Same product: Totolink Ex1800T
CVE-2025-2370Same product: Totolink Ex1800T
CVE-2025-2097Same product: Totolink Ex1800T
CVE-2025-2369Same product: Totolink Ex1800T
CVE-2026-3301Same vendor: Totolink
CVE-2025-1339Same vendor: Totolink
CVE-2025-1829Same vendor: Totolink
CVE-2026-4611Same vendor: Totolink

Affected Assets

totolink
ex1800t firmware
9.1.0cu.2112_b20220316

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by validating and sanitizing the apcliKey/key input to the setWiFiExtenderConfig function in the CGI script.

prevent

Remediates the specific command injection vulnerability in the TOTOLINK router firmware through timely flaw identification, reporting, and patching.

prevent

Limits the scope and impact of injected OS commands by enforcing least privilege on the low-privilege process handling the vulnerable endpoint.

References