CVE-2025-29209
Published: 18 April 2025
Summary
CVE-2025-29209 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 36.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK X18 firmware version 9.1.0cu.2024_B20220329 contains a command-injection vulnerability (CWE-77) in the sub_41105C function of cstecgi.cgi. Unauthenticated attackers can supply arbitrary input to the enable parameter and cause the device to execute operating-system commands without any prior authentication or user interaction. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.
Because the affected CGI endpoint is reachable over the network and requires no credentials, any remote adversary can exploit the issue to obtain a root shell on the router. Successful exploitation grants complete control of the device, enabling traffic interception, persistence, or use as an attack pivot inside the local network.
Public references consist of a technical write-up hosted on GitHub that demonstrates the injection vector; no vendor advisory or firmware patch is referenced in the available sources. The EPSS score rose from a low baseline to a peak of 0.0158 before receding to its current value of 0.0044, indicating a temporary increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11873
Vulnerability details
TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.