CVE-2025-2096
Published: 07 March 2025
Summary
CVE-2025-2096 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Ex1800T Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prevents OS command injection by requiring validation of untrusted inputs to the setRebootScheCfg function parameters such as mode, week, minute, and recHour.
Directly mitigates the vulnerability through identification, reporting, and correction of the command injection flaw in the /cgi-bin/cstecgi.cgi file.
Reduces impact of injected commands by enforcing least privilege on low-privilege accounts accessing the vulnerable CGI endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in the router's public-facing web CGI interface enables exploitation of public-facing applications (T1190) and execution of arbitrary Unix shell commands on the embedded Linux-based device (T1059.004).
NVD Description
A vulnerability classified as critical was found in TOTOLINK EX1800T 9.1.0cu.2112_B20220316. This vulnerability affects the function setRebootScheCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument mode/week/minute/recHour leads to os command injection. The attack can be initiated remotely. The exploit…
more
has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2096 is a critical OS command injection vulnerability in the TOTOLINK EX1800T router running firmware version 9.1.0cu.2112_B20220316. The issue resides in the setRebootScheCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the arguments mode, week, minute, or recHour enables arbitrary command execution. Associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with no user interaction required. By crafting malicious requests to the affected CGI endpoint, the attacker injects and executes operating system commands, potentially leading to limited impacts on confidentiality, integrity, and availability, such as data leakage, modification of system settings, or service disruption.
Advisories from VulDB and a public GitHub repository detail the vulnerability and provide a proof-of-concept exploit targeting the setRebootScheCfg endpoint. The manufacturer's website (totolink.net) is referenced, but no specific patches or mitigation guidance are outlined in the available sources; practitioners should monitor for firmware updates from TOTOLINK.
The exploit has been publicly disclosed and is available for use, increasing the risk of targeted attacks against exposed TOTOLINK EX1800T devices.
Details
- CWE(s)