Cyber Posture

CVE-2025-7952

MediumPublic PoC

Published: 22 July 2025

Published
22 July 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0273 86.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7952 is a medium-severity Injection (CWE-74) vulnerability in Totolink T6 Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Remote command injection in public-facing MQTT handler directly enables T1190 for initial access and T1059.004 for Unix shell command execution on the router firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. This vulnerability affects the function ckeckKeepAlive of the file wireless.so of the component MQTT Packet Handler. The manipulation leads to command injection. The attack can be initiated remotely. The…

more

exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-7952 is a command injection vulnerability classified as critical in the TOTOLINK T6 router running firmware version 4.1.5cu.748. The issue resides in the ckeckKeepAlive function within the wireless.so file, part of the MQTT Packet Handler component. Manipulation of this function enables command injection, as documented under CWEs-74 and CWE-77.

The vulnerability is remotely exploitable over the network with low attack complexity, requiring low privileges (PR:L) but no user interaction. Successful exploitation grants limited impacts: low confidentiality, integrity, and availability effects, per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Advisories and references, including VulDB entries and a GitHub repository, disclose a public proof-of-concept exploit, indicating it may be actively used by attackers. No specific patches or mitigations are detailed in the available information.

Details

CWE(s)
CWE-74CWE-77

Affected Products

totolink
t6 firmware
v4.1.5cu.748_b20211015

CVEs Like This One

CVE-2025-7524Same product: Totolink T6
CVE-2025-7613Same product: Totolink T6
CVE-2025-7525Same product: Totolink T6
CVE-2025-7614Same product: Totolink T6
CVE-2025-7615Same product: Totolink T6
CVE-2025-7460Same product: Totolink T6
CVE-2025-7758Same product: Totolink T6
CVE-2025-7837Same product: Totolink T6
CVE-2025-8170Same product: Totolink T6
CVE-2025-7912Same product: Totolink T6

References