CVE-2025-25579
Published: 28 March 2025
Summary
CVE-2025-25579 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3002R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation of untrusted inputs like the bandstr parameter in the /bin/boa web component.
Addresses the root cause by requiring timely identification, reporting, and correction of the specific command injection flaw in TOTOLINK A3002R firmware.
Enables periodic and event-driven vulnerability scanning to identify the CVE-2025-25579 command injection vulnerability in the affected router firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated OS command injection via the web interface (boa) on a network device (router), enabling exploitation of a public-facing application (T1190) and command/script execution using the network device CLI/interpreter (T1059.008).
NVD Description
TOTOLINK A3002R V4.0.0-B20230531.1404 is vulnerable to Command Injection in /bin/boa via bandstr.
Deeper analysisAI
CVE-2025-25579 is a command injection vulnerability (CWE-78) affecting the TOTOLINK A3002R router running firmware version V4.0.0-B20230531.1404. The flaw resides in the /bin/boa component and is triggered via the "bandstr" parameter, allowing attackers to inject operating system commands. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Any unauthenticated attacker with network access to the affected device can exploit this vulnerability without user interaction or privileges. Successful exploitation enables remote command execution, granting full control over the router, including data exfiltration, modification of configurations, or disruption of services.
Proof-of-concept exploits are available in public repositories, such as https://gist.github.com/regainer27/0abf6f56eae3fa2826d2551e22c2ace3 and https://github.com/regainer27/totolink_A3002R_remote_command_exec, demonstrating remote command execution capabilities. No official vendor advisories or patches are detailed in the available references.
Details
- CWE(s)