Cyber Resilience

CVE-2025-52907

High

Published: 24 September 2025

Published
24 September 2025
Modified
14 October 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X
EPSS Score 0.0030 53.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52907 is a high-severity Improper Input Validation (CWE-20) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-52907 is an improper input validation flaw, tracked under CWE-20, that affects the TOTOLINK X6000R router in all versions through V9.4.0cu.1360_B20241207. The vulnerability permits command injection and file manipulation on the device.

An unauthenticated remote attacker can trigger the flaw over the network, though the CVSS vector indicates user interaction is required and attack complexity is high. Successful exploitation grants the ability to inject commands and manipulate files, resulting in high integrity impact on the device along with secondary impacts to confidentiality and availability in the surrounding environment.

The referenced Palo Alto Networks disclosure and TOTOLINK firmware page provide the primary sources for mitigation details and updated firmware. EPSS for the CVE rose from a low baseline to a peak of 0.0106, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1602.002 Network Device Configuration Dump Collection
Adversaries may access network configuration files to collect sensitive data about the device and the network.
Why these techniques?

The vulnerability in the router's web interface enables exploitation of a public-facing application (T1190), command injection facilitating network device CLI execution (T1059.008), and file manipulation allowing network device configuration dumps (T1602.002).

CVEs Like This One

CVE-2025-11005Same product: Totolink X6000R
CVE-2025-70328Same product: Totolink X6000R
CVE-2025-52906Same product: Totolink X6000R
CVE-2026-4611Same product: Totolink X6000R
CVE-2025-52053Same product: Totolink X6000R
CVE-2026-31177Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2024-57211Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink

Affected Assets

totolink
x6000r firmware
≤ 9.4.0cu.1360_b20241207

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to the system, preventing command injection and file manipulation exploits stemming from improper input validation in this CVE.

prevent

Mandates identification, reporting, and correction of system flaws, enabling timely patching of the specific input validation vulnerability in the TOTOLINK X6000R firmware.

detect

Monitors software and firmware integrity to detect unauthorized modifications resulting from successful command injection or file manipulation attacks.

References