CVE-2025-52046
Published: 17 July 2025
Summary
CVE-2025-52046 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Deeper analysis
Totolink A3300R firmware version V17.0.0cu.596_B20250515 contains a command injection vulnerability tracked as CVE-2025-52046. The flaw resides in the sub_4197C0 function and is triggered through the mac and desc parameters, corresponding to CWE-77. It carries a CVSS 3.1 score of 9.8 reflecting network-accessible, unauthenticated exploitation with high impact on confidentiality, integrity, and availability.
An unauthenticated attacker can submit a crafted HTTP request to the affected device and achieve arbitrary command execution on the router. Successful exploitation grants the attacker full control over the device without requiring credentials or user interaction.
Public references consist of technical write-ups and proof-of-concept material hosted on GitHub and Notion; neither source provides vendor advisory information or patch availability. The CVE maintains a high EPSS score with a current value of 0.6232 and an observed peak of 0.6696.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21783
Vulnerability details
Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection via crafted web requests to router parameters enables exploitation of a public-facing application (T1190) and arbitrary command execution on the network device (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation and error handling at input points, directly preventing command injection via unsanitized mac and desc parameters.
SI-2 requires timely identification, reporting, and correction of flaws, enabling firmware patching to remediate the sub_4197C0 command injection vulnerability.
IA-8 enforces identification and authentication for non-organizational users, blocking unauthenticated remote attackers from reaching and exploiting the vulnerable endpoint.