CVE-2025-7613
Published: 14 July 2025
Summary
CVE-2025-7613 is a low-severity Injection (CWE-74) vulnerability in Totolink T6 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-7613 is a command-injection vulnerability in the TOTOLINK T6 router running firmware 4.1.5cu.748. It resides in the CloudSrvVersionCheck function of the /cgi-bin/cstecgi.cgi endpoint that handles HTTP POST requests; unsanitized input supplied to the “ip” parameter is passed directly to an operating-system command.
An authenticated remote attacker can send a crafted POST request to execute arbitrary commands on the device. The CVSS vector indicates limited impact on confidentiality, integrity, and availability, consistent with the low-privilege context required for exploitation.
Public proof-of-concept code has been published on GitHub and referenced on Vuldb, confirming that the issue is known and reproducible. The associated EPSS score remains flat at 0.0455 with no material increase since disclosure, indicating limited observed exploitation interest to date. No vendor advisory or patch information is referenced in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21357
Vulnerability details
A vulnerability was found in TOTOLINK T6 4.1.5cu.748. It has been rated as critical. This issue affects the function CloudSrvVersionCheck of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command…
more
injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing web application (T1190) via HTTP POST command injection in CGI script, facilitating Unix shell command execution (T1059.004) and indirect command execution (T1202) as noted in advisories.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation of the manipulated 'ip' argument in the HTTP POST request before use in OS commands.
Remediates the specific command injection flaw in the CloudSrvVersionCheck function through timely flaw correction, such as firmware patching.
Enforces input validation at public managed interfaces to block invalid 'ip' values in remote HTTP POST requests targeting the vulnerable CGI handler.