CVE-2025-52046
Published: 17 July 2025
Summary
CVE-2025-52046 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates information input validation and error handling at input points, directly preventing command injection via unsanitized mac and desc parameters.
SI-2 requires timely identification, reporting, and correction of flaws, enabling firmware patching to remediate the sub_4197C0 command injection vulnerability.
IA-8 enforces identification and authentication for non-organizational users, blocking unauthenticated remote attackers from reaching and exploiting the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection via crafted web requests to router parameters enables exploitation of a public-facing application (T1190) and arbitrary command execution on the network device (T1059.008).
NVD Description
Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
Deeper analysisAI
CVE-2025-52046 is a command injection vulnerability affecting the Totolink A3300R router running firmware version V17.0.0cu.596_B20250515. The flaw resides in the sub_4197C0 function, where the mac and desc parameters fail to properly sanitize user input, enabling injection of arbitrary commands. Published on 2025-07-17 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it is classified under CWE-77 (Command Injection).
Unauthenticated remote attackers can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable endpoint. Successful exploitation grants attackers the ability to execute arbitrary operating system commands on the device with elevated privileges, potentially leading to full router compromise, including data theft, configuration manipulation, or use as a pivot for further network attacks.
Details on exploitation and potential mitigations are documented in advisories referenced at https://github.com/w0rkd4tt/Totolink/blob/main/CVE-2025-52046/CVE-2025-52046.md and https://www.notion.so/setWiFiAclRules-A3300R-2108aff2dc8b80348d94e7fd1378d475?source=copy_link. Security practitioners should review these for firmware updates or workarounds, as no patch details are specified in the initial CVE disclosure.
Details
- CWE(s)