CVE-2025-45800
Published: 02 May 2025
Summary
CVE-2025-45800 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A950Rg Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK A950RG firmware version V4.1.2cu.5204_B20210112 contains a command injection vulnerability (CWE-77) in the setDeviceName interface within the /lib/cste_modules/global.so library. The flaw arises during processing of the deviceMac parameter and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
An unauthenticated attacker with network reachability can supply a crafted deviceMac value to the affected interface and achieve arbitrary command execution on the device. Successful exploitation grants full control over confidentiality, integrity, and availability of the router.
The single public reference is a technical write-up and proof-of-concept hosted on GitHub that demonstrates the injection. No vendor advisory or patch information is included in the available references. The associated EPSS score remains low, with only a modest increase from its initial value to a peak of 0.0147.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13127
Vulnerability details
TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a command execution vulnerability in the setDeviceName interface of the /lib/cste_modules/global.so library, specifically in the processing of the deviceMac parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote command execution through the web interface's setDeviceName endpoint via the deviceMac parameter, facilitating exploitation of a public-facing application on a network device such as a router.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.