CVE-2025-9934
Published: 04 September 2025
Summary
CVE-2025-9934 is a low-severity Injection (CWE-74) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
A command injection vulnerability exists in the TOTOLINK X5000R router running firmware 9.1.0cu.2415_B20250515. The flaw resides in the sub_410C34 function of /cgi-bin/cstecgi.cgi and is triggered by unsanitized input supplied to the pid argument, corresponding to CWE-74 and CWE-77 weaknesses. The issue received a CVSS 4.0 score of 2.1 reflecting limited impact and the requirement for low-privileged access.
An authenticated remote attacker can supply a crafted pid value to the CGI endpoint and achieve command execution on the device. Public proof-of-concept code demonstrating the injection has been released, confirming that exploitation can be performed over the network without user interaction.
The associated EPSS score remains low, moving only from 0.0242 to a peak of 0.0251. Public references consist of technical write-ups and exploit details hosted on GitHub and Vuldb, with no vendor advisory or patch information provided in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26655
Vulnerability details
A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2415_B20250515. This affects the function sub_410C34 of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument pid results in command injection. Remote exploitation of the attack is possible. The exploit has been made public…
more
and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing router CGI (/cgi-bin/cstecgi.cgi) via 'pid' parameter enables initial access through exploitation of public-facing application (T1190), indirect command execution via the CGI process (T1202), and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks command injection by validating/sanitizing the untrusted 'pid' argument before it reaches sub_410C34 in cstecgi.cgi.
Enforces access restrictions on the /cgi-bin/cstecgi.cgi endpoint so only explicitly authorized subjects can invoke the vulnerable function.
Restricts network access to the router's management interface, reducing the remote attack surface for the publicly disclosed exploit.