CVE-2025-7613
Published: 14 July 2025
Summary
CVE-2025-7613 is a medium-severity Injection (CWE-74) vulnerability in Totolink T6 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of the manipulated 'ip' argument in the HTTP POST request before use in OS commands.
Remediates the specific command injection flaw in the CloudSrvVersionCheck function through timely flaw correction, such as firmware patching.
Enforces input validation at public managed interfaces to block invalid 'ip' values in remote HTTP POST requests targeting the vulnerable CGI handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing web application (T1190) via HTTP POST command injection in CGI script, facilitating Unix shell command execution (T1059.004) and indirect command execution (T1202) as noted in advisories.
NVD Description
A vulnerability was found in TOTOLINK T6 4.1.5cu.748. It has been rated as critical. This issue affects the function CloudSrvVersionCheck of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command…
more
injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-7613 is a command injection vulnerability affecting the TOTOLINK T6 router on firmware version 4.1.5cu.748. The flaw exists in the CloudSrvVersionCheck function of the /cgi-bin/cstecgi.cgi file within the HTTP POST Request Handler component. It has been rated as critical and is triggered by manipulating the "ip" argument in an HTTP POST request, allowing arbitrary command injection.
The vulnerability enables remote exploitation over the network with low complexity and requires low privileges but no user interaction. Attackers can achieve limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 (Improper Neutralization of Special Elements used in an OS Command) and CWE-77 (Command Injection).
Advisories and references, including VulDB entries and a GitHub repository, confirm the exploit has been publicly disclosed, with a proof-of-concept available that may be used by attackers. No patches or specific mitigation guidance are mentioned in the available details.
Details
- CWE(s)