Cyber Resilience

CVE-2025-52906

CriticalRCE

Published: 24 September 2025

Published
24 September 2025
Modified
14 October 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:X/RE:X/U:X
EPSS Score 0.0100 77.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52906 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-52906 is an OS command injection vulnerability, tracked as CWE-78, that affects the TOTOLINK X6000R router. The flaw stems from improper neutralization of special elements in OS commands and impacts all firmware versions through V9.4.0cu.1360_B20241207. It carries a CVSS 4.0 score of 9.3, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to trigger arbitrary operating-system command execution on the device. Successful exploitation grants the ability to modify system behavior, read or alter sensitive data, and affect availability, with the vulnerability also producing high secondary impacts on confidentiality, integrity, and availability beyond the immediate device scope.

The referenced Palo Alto Networks disclosure and TOTOLINK firmware download page provide the primary sources for further details on affected builds and any available updates. The EPSS score for this CVE rose from a low baseline to a peak of 0.0325, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS Command Injection vulnerability in TOTOLINK X6000R router web interface enables exploitation of public-facing application (T1190) for arbitrary command execution on network device CLI (T1059.008).

CVEs Like This One

CVE-2025-11005Same product: Totolink X6000R
CVE-2025-70328Same product: Totolink X6000R
CVE-2026-4611Same product: Totolink X6000R
CVE-2025-52907Same product: Totolink X6000R
CVE-2025-52053Same product: Totolink X6000R
CVE-2026-31177Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink
CVE-2025-25579Same vendor: Totolink
CVE-2025-51390Same vendor: Totolink
CVE-2026-31178Same vendor: Totolink

Affected Assets

totolink
x6000r firmware
≤ 9.4.0cu.1360_b20241207

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires implementation of input validation mechanisms at entry points to neutralize special elements and directly prevent OS command injection attacks like this CVE.

prevent

Mandates identification, reporting, and correction of system flaws, enabling timely firmware patching to remediate the specific improper neutralization vulnerability.

prevent

Enforces least privilege for processes, limiting the scope and impact of arbitrary OS commands executed via injection on the compromised router.

References