Cyber Resilience

CVE-2025-52046

CriticalPublic PoCRCE

Published: 17 July 2025

Published
17 July 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6232 98.4th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52046 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

Totolink A3300R firmware version V17.0.0cu.596_B20250515 contains a command injection vulnerability tracked as CVE-2025-52046. The flaw resides in the sub_4197C0 function and is triggered through the mac and desc parameters, corresponding to CWE-77. It carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with high impact on confidentiality, integrity, and availability.

An unauthenticated attacker can submit a crafted HTTP request to the affected device and achieve arbitrary command execution on the router. Successful exploitation grants the attacker full control over the device without requiring credentials or user interaction.

Public references consist of technical write-ups and proof-of-concept material hosted on GitHub and Notion; neither source provides vendor advisory information or patch availability. The CVE maintains a high EPSS score with a current value of 0.6232 and an observed peak of 0.6696.

EU & UK References

Vulnerability details

Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Unauthenticated command injection via crafted web requests to router parameters enables exploitation of a public-facing application (T1190) and arbitrary command execution on the network device (T1059.008).

CVEs Like This One

CVE-2026-5178Same product: Totolink A3300R
CVE-2026-5105Same product: Totolink A3300R
CVE-2026-5176Same product: Totolink A3300R
CVE-2026-31170Same product: Totolink A3300R
CVE-2026-31175Same product: Totolink A3300R
CVE-2026-31177Same product: Totolink A3300R
CVE-2026-31181Same product: Totolink A3300R
CVE-2026-31178Same product: Totolink A3300R
CVE-2026-5103Same product: Totolink A3300R
CVE-2026-5177Same product: Totolink A3300R

Affected Assets

totolink
a3300r firmware
17.0.0cu.596_b20250515

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates information input validation and error handling at input points, directly preventing command injection via unsanitized mac and desc parameters.

prevent

SI-2 requires timely identification, reporting, and correction of flaws, enabling firmware patching to remediate the sub_4197C0 command injection vulnerability.

prevent

IA-8 enforces identification and authentication for non-organizational users, blocking unauthenticated remote attackers from reaching and exploiting the vulnerable endpoint.

References