CVE-2025-6619
Published: 25 June 2025
Summary
CVE-2025-6619 is a low-severity Command Injection (CWE-77) vulnerability in Totolink Ca300-Poe Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2025-6619 affects the TOTOLINK CA300-PoE device running firmware version 6.2c.884. It exists in the setUpgradeFW function of upgrade.so, where manipulation of the FileName argument permits OS command injection, as indicated by the associated CWEs 77 and 78.
An authenticated remote attacker can supply a crafted FileName value to execute arbitrary operating system commands on the device. The flaw carries a CVSS 4.0 score of 2.1 and has a publicly disclosed exploit that may be used.
The provided references consist of a GitHub disclosure containing a proof-of-concept along with VulDB entries that document the issue, but contain no details on patches or mitigation steps. The EPSS score has remained flat at 0.0699 with no material rise since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19129
Vulnerability details
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection vulnerability in the web-based firmware upgrade function (setUpgradeFW) of a public-facing network device enables exploitation of public-facing applications (T1190) and indirect command execution (T1202) remotely.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.