CVE-2025-7614
Published: 14 July 2025
Summary
CVE-2025-7614 is a medium-severity Injection (CWE-74) vulnerability in Totolink T6 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating the ipAddr argument in HTTP POST requests to /cgi-bin/cstecgi.cgi to ensure it contains only legitimate IP address values without shell metacharacters.
Remediates the specific command injection flaw in the delDevice function by identifying, patching firmware, or implementing workarounds promptly after disclosure.
Enforces least privilege on the HTTP POST handler process to restrict the scope and impact of any successfully injected commands executed by an authenticated low-privilege attacker.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable command injection in a public-facing web CGI endpoint (/cgi-bin/cstecgi.cgi delDevice ipAddr) on a router, enabling exploitation of public-facing applications (T1190) and indirect command execution (T1202) as explicitly mapped in advisories.
NVD Description
A vulnerability classified as critical has been found in TOTOLINK T6 4.1.5cu.748. Affected is the function delDevice of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ipAddr leads to command injection. It is…
more
possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-7614 is a critical command injection vulnerability in TOTOLINK T6 firmware version 4.1.5cu.748. The flaw resides in the delDevice function of the /cgi-bin/cstecgi.cgi file within the HTTP POST Request Handler component. An attacker can exploit it by manipulating the ipAddr argument to inject arbitrary commands.
The vulnerability enables remote exploitation over the network with low complexity and requires low privileges (PR:L), without needing user interaction. Successful attacks can result in limited impacts on confidentiality, integrity, and availability, per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It maps to CWE-74 (Injection) and CWE-77 (Command Injection).
Advisories on VulDB (ctiid.316314, id.316314, submit.615368) document the issue, while a GitHub repository (ElvisBlue/Public) provides vulnerability details and a proof-of-concept exploit. No patches or specific mitigations are mentioned in the referenced sources.
The exploit has been publicly disclosed, heightening the potential for real-world attacks against affected devices.
Details
- CWE(s)