Cyber Resilience

CVE-2025-61044

CriticalPublic PoCRCE

Published: 01 October 2025

Published
01 October 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0261 86.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61044 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-61044 is a command injection vulnerability (CWE-77) affecting the TOTOLINK X18 router running firmware version V9.1.0cu.2053_B20230309. The flaw exists in the setEasyMeshAgentCfg function, where the agentName parameter fails to properly sanitize user input, allowing injection of arbitrary operating system commands. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote attackers require no authentication or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables arbitrary command execution on the underlying operating system, potentially granting full control over the affected router, including data exfiltration, modification of configurations, or use as a pivot for further network attacks.

A single advisory reference is available at https://github.com/ilovekeer/IOT/blob/main/TOTOLINK/X18/setEasyMeshAgentCfg/2.md, which likely details the vulnerability discovery and proof-of-concept; no vendor patches or specific mitigations are described in the provided information.

EU & UK References

Vulnerability details

TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via the agentName parameter in the setEasyMeshAgentCfg function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

The command injection vulnerability in the web interface of the TOTOLINK X18 router enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution via the network device CLI (T1059.008).

CVEs Like This One

CVE-2025-1339Same product: Totolink X18
CVE-2025-1829Same product: Totolink X18
CVE-2025-61045Same product: Totolink X18
CVE-2025-1340Same product: Totolink X18
CVE-2024-57211Same vendor: Totolink
CVE-2025-52046Same vendor: Totolink
CVE-2025-55591Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink
CVE-2026-1150Same vendor: Totolink

Affected Assets

totolink
x18 firmware
9.1.0cu.2053_b20230309

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the agentName parameter to block command injection in the setEasyMeshAgentCfg function.

prevent

Mandates timely identification, reporting, and correction of the command injection flaw through firmware updates or patches.

prevent

Ensures secure configuration settings for the router firmware, including updates to mitigate improper input handling in vulnerable functions like setEasyMeshAgentCfg.

References