Cyber Resilience

CVE-2025-51390

CriticalPublic PoCRCE

Published: 04 August 2025

Published
04 August 2025
Modified
15 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0547 90.4th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51390 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink N600R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

TOTOLINK N600R V4.3.0cu.7647_B20210106 contains a command injection vulnerability in the setWiFiWpsConfig function, where the pin parameter is processed without adequate sanitization. The flaw is tracked as CVE-2025-51390 and assigned CWE-78, with a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation that can result in full confidentiality, integrity, and availability impact.

An unauthenticated remote attacker can supply a crafted pin value to the affected function and execute arbitrary operating-system commands on the device. Successful exploitation grants the attacker the ability to run code with the privileges of the web-management process, potentially leading to device takeover, configuration changes, or use as a pivot point within a network.

The EPSS score remains flat at 0.0547 with no material increase after disclosure. Public references consist of the vendor site and several GitHub reports that document the issue but do not describe official patches or mitigation steps.

EU & UK References

Vulnerability details

TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a command injection vulnerability via the pin parameter in the setWiFiWpsConfig function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection via web interface parameter enables exploitation of public-facing application (T1190) and arbitrary command execution on network device CLI (T1059.008).

CVEs Like This One

CVE-2025-9935Same product: Totolink N600R
CVE-2025-11444Same product: Totolink N600R
CVE-2025-11005Same vendor: Totolink
CVE-2026-31177Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink
CVE-2025-25579Same vendor: Totolink
CVE-2026-31178Same vendor: Totolink
CVE-2024-57017Same vendor: Totolink
CVE-2025-52906Same vendor: Totolink
CVE-2025-70328Same vendor: Totolink

Affected Assets

totolink
n600r firmware
4.3.0cu.7647_b20210106

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by enforcing validation of the untrusted pin parameter in the setWiFiWpsConfig function.

prevent

Remediates the specific command injection flaw through timely identification, reporting, and patching of the vulnerable firmware.

prevent

Mitigates exposure by disabling or restricting the non-essential WPS configuration functionality that hosts the vulnerable endpoint.

References