Cyber Resilience

CVE-2025-29209

CriticalPublic PoCRCE

Published: 18 April 2025

Published
18 April 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29209 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 36.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK X18 firmware version 9.1.0cu.2024_B20220329 contains a command-injection vulnerability (CWE-77) in the sub_41105C function of cstecgi.cgi. Unauthenticated attackers can supply arbitrary input to the enable parameter and cause the device to execute operating-system commands without any prior authentication or user interaction. The flaw received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.

Because the affected CGI endpoint is reachable over the network and requires no credentials, any remote adversary can exploit the issue to obtain a root shell on the router. Successful exploitation grants complete control of the device, enabling traffic interception, persistence, or use as an attack pivot inside the local network.

Public references consist of a technical write-up hosted on GitHub that demonstrates the injection vector; no vendor advisory or firmware patch is referenced in the available sources. The EPSS score rose from a low baseline to a peak of 0.0158 before receding to its current value of 0.0044, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
x18 firmware
9.1.0cu.2024_b20220329

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References