Cyber Resilience

CVE-2025-52053

CriticalPublic PoCRCE

Published: 15 September 2025

Published
15 September 2025
Modified
20 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6256 98.4th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52053 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

TOTOLINK X6000R firmware version V9.4.0cu.1360_B20241207 contains a command injection vulnerability in the sub_417D74 function that is triggered through the file_name parameter. The flaw is tracked as CVE-2025-52053, carries a CVSS 3.1 score of 9.8, and is classified under CWE-77.

Unauthenticated attackers can exploit the issue over the network by sending a crafted request, enabling them to execute arbitrary operating-system commands with no user interaction or credentials required. Successful exploitation grants full control over the affected device, including the ability to read, modify, or delete data and to pivot further into attached networks.

Public references include a detailed technical write-up on GitHub and the vendor site, yet neither source supplies information on patches, firmware updates, or other mitigations at the time of disclosure.

The associated EPSS score currently stands at 0.6565 with a recorded peak of 0.6876, indicating sustained and elevated exploitation interest since publication.

EU & UK References

Vulnerability details

TOTOLINK X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_417D74 function via the file_name parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated command injection via web parameter in router firmware enables exploitation of public-facing application (T1190) for remote execution of arbitrary Unix shell commands (T1059.004).

CVEs Like This One

CVE-2026-4611Same product: Totolink X6000R
CVE-2025-11005Same product: Totolink X6000R
CVE-2025-70328Same product: Totolink X6000R
CVE-2025-52906Same product: Totolink X6000R
CVE-2025-52907Same product: Totolink X6000R
CVE-2024-57036Same vendor: Totolink
CVE-2026-31170Same vendor: Totolink
CVE-2026-31175Same vendor: Totolink
CVE-2026-5103Same vendor: Totolink
CVE-2026-1327Same vendor: Totolink

Affected Assets

totolink
x6000r firmware
9.4.0cu.1360_b20241207

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires information input validation at entry points, directly addressing the lack of sanitization in the file_name parameter that enables command injection.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, directly mitigating this command injection vulnerability through firmware patching.

prevent

AC-3 enforces approved authorizations for access, preventing unauthenticated remote attackers from exploiting the vulnerable sub_417D74 function via crafted HTTP requests.

References