Cyber Posture

CVE-2025-44655

Critical

Published: 21 July 2025

Published
21 July 2025
Modified
07 August 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44655 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Totolink A7100Ru Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-6 Configuration Settings good match
prevent

Requires secure configuration settings for services like vsftpd, directly preventing misconfigurations such as improper chroot_local_user that enable unauthorized system file access.

CM-7 Least Functionality good match
prevent

Limits systems to least functionality by disabling unnecessary services like exposed FTP servers, eliminating the attack surface for chroot-related privilege escalations.

AC-6 Least Privilege good match
prevent

Enforces least privilege for FTP processes and users, mitigating unauthorized access to system files and privilege escalation resulting from chroot misconfiguration.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct mapping to exploitation of public-facing FTP service for initial access and resulting privilege escalation via misconfigured chroot.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal…

more

network attacks.

Deeper analysisAI

CVE-2025-44655 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting TOTOLink router models A7100RU V7.4, A950RG V5.9, and T10 V5.9. The issue arises from the chroot_local_user option being enabled in the vsftpd.conf configuration file of the vsftpd FTP server, which is linked to CWE-266 (Incorrect Privilege Assignment for Critical Resource). Published on 2025-07-21, this misconfiguration exposes the devices to risks including unauthorized access to system files.

Remote attackers require no authentication, privileges, or user interaction to exploit the vulnerability over the network. Successful exploitation enables unauthorized access to system files, privilege escalation on the device, or leveraging the compromised router as a pivot point for lateral movement and attacks within internal networks.

Advisories and further details are available from the vendor at http://totolink.com and in a technical gist at https://gist.github.com/TPCchecker/d7306649f51ca25e22dd6532546a58f3, which security practitioners should consult for mitigation guidance and patches.

Details

CWE(s)
CWE-266

Affected Products

totolink
a7100ru firmware
7.4
totolink
a950rg firmware
5.9
totolink
t10 firmware
5.9

CVEs Like This One

CVE-2025-67187Same product: Totolink A950Rg
CVE-2025-14964Same product: Totolink T10
CVE-2025-67188Same product: Totolink A950Rg
CVE-2025-9533Same product: Totolink T10
CVE-2025-67186Same product: Totolink A950Rg
CVE-2026-1686Same vendor: Totolink
CVE-2026-1158Same vendor: Totolink
CVE-2025-25610Same vendor: Totolink
CVE-2025-9781Same vendor: Totolink
CVE-2026-26731Same vendor: Totolink

References