CVE-2025-2095
Published: 07 March 2025
Summary
CVE-2025-2095 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability classified as critical exists in the TOTOLINK EX1800T wireless router running firmware version 9.1.0cu.2112_B20220316. The issue resides in the setDmzCfg function of the /cgi-bin/cstecgi.cgi endpoint, where improper handling of the ip argument permits OS command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.3 reflecting network attack vector, low attack complexity, and low privileges required.
An authenticated remote attacker can supply a crafted ip value to the affected CGI handler and execute arbitrary operating-system commands on the device. Successful exploitation yields limited read, write, and availability impact on the target system, with the public exploit code already released and usable.
The listed references include a detailed proof-of-concept on GitHub, multiple VulDB entries, and the vendor homepage, yet no specific patch or mitigation guidance is provided in the available data. The EPSS score rose from a low baseline to a recorded peak of 0.0422 before settling at the current value of 0.0295, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7494
Vulnerability details
A vulnerability classified as critical has been found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. This affects the function setDmzCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ip leads to os command injection. It is possible to initiate the attack remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection via public-facing web CGI (setDmzCfg ip parameter) enables exploitation of public-facing application (T1190), indirect command execution through the web interface (T1202), and command execution via Unix shell (T1059.004) or network device CLI (T1059.008) on the router.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation of the 'ip' argument in setDmzCfg to ensure it conforms to expected IP formats without shell metacharacters.
Addresses the specific flaw in TOTOLINK EX1800T firmware by requiring timely remediation through vendor patches or updates.
Limits damage from injected commands by enforcing least privilege on the cgi-bin process handling setDmzCfg, reducing potential impacts to C:L/I:L/A:L.