CVE-2025-52053
Published: 15 September 2025
Summary
CVE-2025-52053 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
TOTOLINK X6000R firmware version V9.4.0cu.1360_B20241207 contains a command injection vulnerability in the sub_417D74 function that is triggered through the file_name parameter. The flaw is tracked as CVE-2025-52053, carries a CVSS 3.1 score of 9.8, and is classified under CWE-77.
Unauthenticated attackers can exploit the issue over the network by sending a crafted request, enabling them to execute arbitrary operating-system commands with no user interaction or credentials required. Successful exploitation grants full control over the affected device, including the ability to read, modify, or delete data and to pivot further into attached networks.
Public references include a detailed technical write-up on GitHub and the vendor site, yet neither source supplies information on patches, firmware updates, or other mitigations at the time of disclosure.
The associated EPSS score currently stands at 0.6565 with a recorded peak of 0.6876, indicating sustained and elevated exploitation interest since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29199
Vulnerability details
TOTOLINK X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_417D74 function via the file_name parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection via web parameter in router firmware enables exploitation of public-facing application (T1190) for remote execution of arbitrary Unix shell commands (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires information input validation at entry points, directly addressing the lack of sanitization in the file_name parameter that enables command injection.
SI-2 mandates timely identification, reporting, and correction of flaws, directly mitigating this command injection vulnerability through firmware patching.
AC-3 enforces approved authorizations for access, preventing unauthenticated remote attackers from exploiting the vulnerable sub_417D74 function via crafted HTTP requests.