CVE-2025-52053
Published: 15 September 2025
Summary
CVE-2025-52053 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires information input validation at entry points, directly addressing the lack of sanitization in the file_name parameter that enables command injection.
SI-2 mandates timely identification, reporting, and correction of flaws, directly mitigating this command injection vulnerability through firmware patching.
AC-3 enforces approved authorizations for access, preventing unauthenticated remote attackers from exploiting the vulnerable sub_417D74 function via crafted HTTP requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection via web parameter in router firmware enables exploitation of public-facing application (T1190) for remote execution of arbitrary Unix shell commands (T1059.004).
NVD Description
TOTOLINK X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_417D74 function via the file_name parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
Deeper analysisAI
CVE-2025-52053 is a command injection vulnerability (CWE-77) in the TOTOLINK X6000R router firmware version V9.4.0cu.1360_B20241207. The flaw exists in the sub_417D74 function, where the file_name parameter lacks proper input sanitization, enabling attackers to inject and execute arbitrary commands through a crafted HTTP request. This issue was published on 2025-09-15 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required. By sending a specially crafted request targeting the vulnerable parameter, they can achieve arbitrary command execution on the device, potentially leading to full compromise of the router, data theft, or use as a pivot for further network attacks.
Advisories and mitigation guidance are available in the GitHub proof-of-concept at https://github.com/w0rkd4tt/Totolink/blob/main/CVE-2025-52053/CVE-2025-52053.md and on the vendor site at https://totolink.net.
Details
- CWE(s)