Cyber Resilience

CVE-2025-7862

MediumPublic PoC

Published: 20 July 2025

Published
20 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 56.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7862 is a medium-severity Improper Authentication (CWE-287) vulnerability in Totolink T6 Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2025-7862 is a critical vulnerability affecting the TOTOLINK T6 router on firmware version 4.1.5cu.748_B20211015. It targets the setTelnetCfg function within the /cgi-bin/cstecgi.cgi file of the Telnet Service component, where manipulation of the telnet_enabled argument to the value 1 results in missing authentication. Published on 2025-07-20, the issue carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is linked to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function).

The vulnerability enables remote exploitation by unauthenticated attackers with low complexity and no user interaction required. By sending a crafted request to enable Telnet, attackers bypass authentication controls, potentially gaining low-level access to confidentiality, integrity, and availability impacts on the affected device.

Advisories and references, including GitHub disclosures at https://github.com/AnduinBrian/Public/blob/main/Totolink%20T6/Vuln/5.md (with a POC at #poc-http) and VulDB entries at https://vuldb.com/?ctiid.316975, https://vuldb.com/?id.316975, and https://vuldb.com/?submit.617643, confirm the exploit has been publicly disclosed and may be actively used. No specific patch or mitigation details are detailed in the provided information.

EU & UK References

Vulnerability details

A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1…

more

leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Unauthenticated remote exploitation of public-facing web CGI enables Telnet service activation on the router, facilitating public-facing app exploitation (T1190), remote service exploitation (T1210), and subsequent network device CLI access via Telnet (T1059.008).

CVEs Like This One

CVE-2025-8170Same product: Totolink T6
CVE-2025-7912Same product: Totolink T6
CVE-2025-7615Same product: Totolink T6
CVE-2025-7837Same product: Totolink T6
CVE-2025-7913Same product: Totolink T6
CVE-2025-7460Same product: Totolink T6
CVE-2025-7758Same product: Totolink T6
CVE-2025-7952Same product: Totolink T6
CVE-2025-7524Same product: Totolink T6
CVE-2025-7614Same product: Totolink T6

Affected Assets

totolink
t6 firmware
v4.1.5cu.748_b20211015

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and access policy on the setTelnetCfg function so that unauthenticated manipulation of telnet_enabled is blocked before Telnet can be enabled.

AC-17 Remote Access partial match
prevent

Requires explicit authorization and authentication mechanisms for all remote access services, preventing the unauthenticated remote enabling of Telnet described in the CVE.

prevent

Mandates identification and authentication of services before they are activated, directly addressing the missing authentication for the Telnet service configuration function.

References