CVE-2025-52906

CriticalRCE

Published: 24 September 2025

Published

24 September 2025

Modified

14 October 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0088 75.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52906 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires implementation of input validation mechanisms at entry points to neutralize special elements and directly prevent OS command injection attacks like this CVE.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of system flaws, enabling timely firmware patching to remediate the specific improper neutralization vulnerability.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for processes, limiting the scope and impact of arbitrary OS commands executed via injection on the compromised router.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

OS Command Injection vulnerability in TOTOLINK X6000R router web interface enables exploitation of public-facing application (T1190) for arbitrary command execution on network device CLI (T1059.008).

NVD Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

Deeper analysisAI

CVE-2025-52906 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting the TOTOLINK X6000R router. This flaw enables attackers to inject and execute arbitrary operating system commands. The issue impacts X6000R firmware versions through V9.4.0cu.1360_B20241207 and was published on 2025-09-24.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation grants attackers the ability to execute arbitrary OS commands on the device, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full compromise of the router.

Advisories and mitigation guidance are available in the Palo Alto Networks disclosure at https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0002/PANW-2025-0002.md and on the TOTOLINK vendor site at https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html, which likely includes firmware patches addressing the issue.

Details

CWE(s): CWE-78

Affected Products

totolink

x6000r firmware

≤ 9.4.0cu.1360_b20241207

CVEs Like This One

CVE-2025-11005Same product: Totolink X6000R

CVE-2025-70328Same product: Totolink X6000R

CVE-2026-4611Same product: Totolink X6000R

CVE-2025-52907Same product: Totolink X6000R

CVE-2025-52053Same product: Totolink X6000R

CVE-2025-25579Same vendor: Totolink

CVE-2024-57017Same vendor: Totolink

CVE-2026-31178Same vendor: Totolink

CVE-2025-51390Same vendor: Totolink

CVE-2026-31181Same vendor: Totolink

References

https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0002/PANW-2025-0002.md
Third Party Advisory · psirt@paloaltonetworks.com
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html
Product · psirt@paloaltonetworks.com