CVE-2025-7154
Published: 08 July 2025
Summary
CVE-2025-7154 is a low-severity Command Injection (CWE-77) vulnerability in Totolink N200Re Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical OS command injection vulnerability, tracked as CVE-2025-7154 and assigned CWE-77 and CWE-78, affects the TOTOLINK N200RE router running firmware versions 9.3.5u.6095_B20200916 and 9.3.5u.6139_B20201216. The flaw exists in the sub_41A0F8 function of /cgi-bin/cstecgi.cgi, where unsanitized input supplied to the Hostname argument is passed to the operating system without proper validation.
An authenticated remote attacker can supply a malicious Hostname value via crafted HTTP requests to the device's web management interface, resulting in arbitrary command execution on the device. The CVSS 4.0 vector indicates network attack reachability with low attack complexity and low privileges required, though the resulting impact on confidentiality, integrity, and availability remains limited.
Public exploit code has been disclosed on GitHub, and the EPSS score has remained flat at 0.0571 with no material increase since publication. Vendor references point to the TOTOLINK support site, but no specific patch or mitigation guidance is detailed in the available advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20355
Vulnerability details
A vulnerability, which was classified as critical, has been found in TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216. Affected by this issue is the function sub_41A0F8 of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Hostname leads to os command injection. The attack may…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via remote web CGI (Hostname parameter) enables exploitation of public-facing application (T1190), indirect command execution (T1202), and Unix shell command execution (T1059.004).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.