CVE-2025-4849
Published: 18 May 2025
Summary
CVE-2025-4849 is a medium-severity Injection (CWE-74) vulnerability in Totolink N300Rh Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A command injection vulnerability affects the TOTOLINK N300RH router running firmware version 6.1c.1390_B20191101. The flaw resides in the CloudACMunualUpdateUserdata function within /cgi-bin/cstecgi.cgi, where unsanitized input to the url argument permits arbitrary command execution. It is tracked as CVE-2025-4849, assigned CWE-74 and CWE-77, and carries a CVSS 4.0 score of 5.3 reflecting network access with low privileges and limited impact on confidentiality, integrity, and availability.
An authenticated remote attacker can supply a crafted url value to the CGI endpoint and execute operating-system commands on the device. Because the exploit has already been published, any party with network reachability and valid credentials can leverage it without additional user interaction.
Public references point to a detailed proof-of-concept on GitHub and entries on Vuldb, while the vendor site offers no specific patch or mitigation guidance in the available records. The associated EPSS score remains flat at 0.0241 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-15715
Vulnerability details
A vulnerability was found in TOTOLINK N300RH 6.1c.1390_B20191101. It has been rated as critical. Affected by this issue is the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument url leads to command injection. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via unauthenticated remote web CGI enables exploitation of public-facing application (T1190), abuse of command interpreters (T1059), and indirect command execution (T1202) as noted in advisory.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.