CVE-2025-7525
Published: 13 July 2025
Summary
CVE-2025-7525 is a medium-severity Injection (CWE-74) vulnerability in Totolink T6 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router's public-facing web CGI (/cgi-bin/cstecgi.cgi#setTracerouteCfg) enables remote exploitation of public-facing application (T1190), Unix Shell execution (T1059.004), and indirect command execution via the handler (T1202).
NVD Description
A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument command leads to command…
more
injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-7525 is a critical command injection vulnerability affecting the TOTOLINK T6 router on firmware version 4.1.5cu.748_B20211015. The issue resides in the setTracerouteCfg function of the /cgi-bin/cstecgi.cgi file within the HTTP POST Request Handler component. An attacker can exploit it by manipulating the "command" argument to inject arbitrary commands.
The vulnerability enables remote exploitation over the network with low complexity and no user interaction. It requires low privileges (PR:L) from the attacker, resulting in limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Associated CWEs include CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection).
Advisories from VulDB and a GitHub repository detail the vulnerability, with the latter providing a proof-of-concept exploit. The exploit has been publicly disclosed and may be used, though no vendor patches or specific mitigation guidance are mentioned in the references.
Details
- CWE(s)