CVE-2025-61044
Published: 01 October 2025
Summary
CVE-2025-61044 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink X18 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of the agentName parameter to block command injection in the setEasyMeshAgentCfg function.
Mandates timely identification, reporting, and correction of the command injection flaw through firmware updates or patches.
Ensures secure configuration settings for the router firmware, including updates to mitigate improper input handling in vulnerable functions like setEasyMeshAgentCfg.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability in the web interface of the TOTOLINK X18 router enables exploitation of a public-facing application (T1190) and facilitates arbitrary command execution via the network device CLI (T1059.008).
NVD Description
TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via the agentName parameter in the setEasyMeshAgentCfg function.
Deeper analysisAI
CVE-2025-61044 is a command injection vulnerability (CWE-77) affecting the TOTOLINK X18 router running firmware version V9.1.0cu.2053_B20230309. The flaw exists in the setEasyMeshAgentCfg function, where the agentName parameter fails to properly sanitize user input, allowing injection of arbitrary operating system commands. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers require no authentication or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables arbitrary command execution on the underlying operating system, potentially granting full control over the affected router, including data exfiltration, modification of configurations, or use as a pivot for further network attacks.
A single advisory reference is available at https://github.com/ilovekeer/IOT/blob/main/TOTOLINK/X18/setEasyMeshAgentCfg/2.md, which likely details the vulnerability discovery and proof-of-concept; no vendor patches or specific mitigations are described in the provided information.
Details
- CWE(s)