CVE-2025-52907

High

Published: 24 September 2025

Published

24 September 2025

Modified

14 October 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0028 51.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52907 is a high-severity Improper Input Validation (CWE-20) vulnerability in Totolink X6000R Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of all inputs to the system, preventing command injection and file manipulation exploits stemming from improper input validation in this CVE.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of system flaws, enabling timely patching of the specific input validation vulnerability in the TOTOLINK X6000R firmware.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Monitors software and firmware integrity to detect unauthorized modifications resulting from successful command injection or file manipulation attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

T1602.002 Network Device Configuration Dump Collection

Adversaries may access network configuration files to collect sensitive data about the device and the network.

attack.mitre.org →

Why these techniques?

The vulnerability in the router's web interface enables exploitation of a public-facing application (T1190), command injection facilitating network device CLI execution (T1059.008), and file manipulation allowing network device configuration dumps (T1602.002).

NVD Description

Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

Deeper analysisAI

CVE-2025-52907 is an Improper Input Validation vulnerability (CWE-20) present in the TOTOLINK X6000R router firmware. It enables command injection and file manipulation attacks. The issue affects X6000R firmware versions through V9.4.0cu.1360_B20241207 and was published on 2025-09-24.

With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network with low complexity by unauthenticated attackers. Exploitation requires user interaction, such as a victim accessing a malicious input field or webpage. Successful attacks allow arbitrary command execution and file manipulation on the device, compromising confidentiality, integrity, and availability at a high level.

Advisories and patches are detailed in the Palo Alto Networks disclosure (PANW-2025-0003) at https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0003/PANW-2025-0003.md and the TOTOLINK firmware download page at https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html.

Details

CWE(s): CWE-20

Affected Products

totolink

x6000r firmware

≤ 9.4.0cu.1360_b20241207

CVEs Like This One

CVE-2025-11005Same product: Totolink X6000R

CVE-2025-52906Same product: Totolink X6000R

CVE-2025-70328Same product: Totolink X6000R

CVE-2025-52053Same product: Totolink X6000R

CVE-2026-4611Same product: Totolink X6000R

CVE-2026-4497Same vendor: Totolink

CVE-2025-25579Same vendor: Totolink

CVE-2024-57017Same vendor: Totolink

CVE-2026-5105Same vendor: Totolink

CVE-2026-31178Same vendor: Totolink

References

https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2025-0003/PANW-2025-0003.md
Third Party Advisory · psirt@paloaltonetworks.com
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html
Product · psirt@paloaltonetworks.com