Cyber Resilience

CVE-2025-25579

CriticalPublic PoCRCE

Published: 28 March 2025

Published
28 March 2025
Modified
07 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3298 97.0th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25579 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3002R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

TOTOLINK A3002R firmware version V4.0.0-B20230531.1404 contains a command injection vulnerability in the /bin/boa component triggered through the bandstr parameter. The flaw is tracked as CVE-2025-25579 with a CVSS 3.1 score of 9.8 and is classified under CWE-78.

Unauthenticated attackers with network access can supply crafted input to the affected parameter and execute arbitrary operating system commands on the device. Successful exploitation grants full control over the router, enabling impacts to confidentiality, integrity, and availability without requiring user interaction or credentials.

Public proof-of-concept code demonstrating remote command execution has been published on GitHub. No vendor advisory or official patch information is referenced in the available sources.

The CVE carries an EPSS score with a recorded peak of 0.3849 and a current value of 0.3298, indicating sustained moderate exploitation interest following disclosure.

EU & UK References

Vulnerability details

TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated OS command injection via the web interface (boa) on a network device (router), enabling exploitation of a public-facing application (T1190) and command/script execution using the network device CLI/interpreter (T1059.008).

CVEs Like This One

CVE-2025-55591Same product: Totolink A3002R
CVE-2025-25609Same product: Totolink A3002R
CVE-2025-25635Same product: Totolink A3002R
CVE-2025-25610Same product: Totolink A3002R
CVE-2025-11005Same vendor: Totolink
CVE-2026-31177Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink
CVE-2025-51390Same vendor: Totolink
CVE-2026-31178Same vendor: Totolink
CVE-2024-57017Same vendor: Totolink

Affected Assets

totolink
a3002r firmware
4.0.0-b20230531.1404

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation of untrusted inputs like the bandstr parameter in the /bin/boa web component.

prevent

Addresses the root cause by requiring timely identification, reporting, and correction of the specific command injection flaw in TOTOLINK A3002R firmware.

detect

Enables periodic and event-driven vulnerability scanning to identify the CVE-2025-25579 command injection vulnerability in the affected router firmware.

References