CVE-2025-29064
Published: 03 April 2025
Summary
CVE-2025-29064 is a critical-severity Code Injection (CWE-94) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-29064 is a code injection vulnerability (CWE-94) in TOTOLINK X18 firmware version 9.1.0cu.2024_B20220329. The flaw resides in the sub_410E54 function of cstecgi.cgi and carries a CVSS 3.1 score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.
A remote unauthenticated attacker can send crafted requests to the affected CGI endpoint to execute arbitrary code on the device, resulting in full control over confidentiality, integrity, and availability of the router.
The two provided references describe an OS command injection vector reachable through the setLanguageCfg_lang parameter but contain no vendor advisory, patch information, or mitigation guidance. The associated EPSS score remains flat at 0.0340 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14824
Vulnerability details
An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.