CVE-2025-51390
Published: 04 August 2025
Summary
CVE-2025-51390 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink N600R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
TOTOLINK N600R V4.3.0cu.7647_B20210106 contains a command injection vulnerability in the setWiFiWpsConfig function, where the pin parameter is processed without adequate sanitization. The flaw is tracked as CVE-2025-51390 and assigned CWE-78, with a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation that can result in full confidentiality, integrity, and availability impact.
An unauthenticated remote attacker can supply a crafted pin value to the affected function and execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker the ability to run code with the privileges of the web-management process, potentially leading to device takeover, configuration changes, or use as a pivot point within a network.
The EPSS score remains flat at 0.0547 with no material increase after disclosure. Public references consist of the vendor site and several GitHub reports that document the issue but do not describe official patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23538
Vulnerability details
TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a command injection vulnerability via the pin parameter in the setWiFiWpsConfig function.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via web interface parameter enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by enforcing validation of the untrusted pin parameter in the setWiFiWpsConfig function.
Remediates the specific command injection flaw through timely identification, reporting, and patching of the vulnerable firmware.
Mitigates exposure by disabling or restricting the non-essential WPS configuration functionality that hosts the vulnerable endpoint.