Cyber Resilience

CVE-2025-52089

HighPublic PoC

Published: 11 July 2025

Published
11 July 2025
Modified
19 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0320 87.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52089 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Totolink N300Rb Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-52089 is a hidden remote support feature in TOTOLINK N300RB firmware version 8.54 that is protected only by a static secret. The flaw, tracked under CWE-306, permits an attacker who knows the secret to invoke arbitrary operating-system commands with root privileges. The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting network-adjacent attack vector, low complexity, and no required user interaction.

An authenticated attacker positioned on the same network segment can supply the static credential to unlock the concealed interface and then execute commands that fully compromise the device, including reading or modifying sensitive data and altering device behavior. The CVSS vector indicates that no prior administrative privileges on the router itself are needed beyond knowledge of the secret.

The single reference points to a technical write-up that details discovery of the debug interface; no vendor advisory, firmware patch, or mitigation guidance is provided in the available sources.

EPSS for the CVE rose from a low baseline to a peak of 0.0474 before settling at the current value of 0.0320, indicating measurable post-disclosure interest in exploitation.

EU & UK References

Vulnerability details

A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability in hidden remote support feature (static secret, missing auth per CWE-306) directly enables unauthenticated RCE as root on adjacent network, mapping to public-facing app exploitation and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57016Same vendor: Totolink
CVE-2024-57015Same vendor: Totolink
CVE-2026-5103Same vendor: Totolink
CVE-2026-1327Same vendor: Totolink
CVE-2026-1547Same vendor: Totolink
CVE-2024-57013Same vendor: Totolink
CVE-2024-57011Same vendor: Totolink
CVE-2024-57036Same vendor: Totolink
CVE-2025-1339Same vendor: Totolink
CVE-2026-31170Same vendor: Totolink

Affected Assets

totolink
n300rb firmware
8.54

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

CM-7 Least Functionality prohibits or restricts unnecessary functions such as hidden remote support features, directly preventing their availability for exploitation.

prevent

MA-4 Nonlocal Maintenance requires approval, management, and policy-compliant use of remote diagnostic tools, mitigating hidden remote support interfaces.

prevent

IA-5 Authenticator Management prohibits static secrets and enforces proper handling of authenticators protecting critical functions like remote command execution.

References