Cyber Resilience

CVE-2025-9934

LowPublic PoC

Published: 04 September 2025

Published
04 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0242 85.5th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9934 is a low-severity Injection (CWE-74) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

A command injection vulnerability exists in the TOTOLINK X5000R router running firmware 9.1.0cu.2415_B20250515. The flaw resides in the sub_410C34 function of /cgi-bin/cstecgi.cgi and is triggered by unsanitized input supplied to the pid argument, corresponding to CWE-74 and CWE-77 weaknesses. The issue received a CVSS 4.0 score of 2.1 reflecting limited impact and the requirement for low-privileged access.

An authenticated remote attacker can supply a crafted pid value to the CGI endpoint and achieve command execution on the device. Public proof-of-concept code demonstrating the injection has been released, confirming that exploitation can be performed over the network without user interaction.

The associated EPSS score remains low, moving only from 0.0242 to a peak of 0.0251. Public references consist of technical write-ups and exploit details hosted on GitHub and Vuldb, with no vendor advisory or patch information provided in the available sources.

EU & UK References

Vulnerability details

A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2415_B20250515. This affects the function sub_410C34 of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument pid results in command injection. Remote exploitation of the attack is possible. The exploit has been made public…

more

and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection in public-facing router CGI (/cgi-bin/cstecgi.cgi) via 'pid' parameter enables initial access through exploitation of public-facing application (T1190), indirect command execution via the CGI process (T1202), and Unix shell command execution (T1059.004).

CVEs Like This One

CVE-2025-14586Same product: Totolink X5000R
CVE-2024-57016Same product: Totolink X5000R
CVE-2024-57012Same product: Totolink X5000R
CVE-2024-57018Same product: Totolink X5000R
CVE-2024-57021Same product: Totolink X5000R
CVE-2024-57015Same product: Totolink X5000R
CVE-2024-57013Same product: Totolink X5000R
CVE-2024-57022Same product: Totolink X5000R
CVE-2024-57020Same product: Totolink X5000R
CVE-2024-57014Same product: Totolink X5000R

Affected Assets

totolink
x5000r firmware
9.1.0cu.2415_b20250515

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks command injection by validating/sanitizing the untrusted 'pid' argument before it reaches sub_410C34 in cstecgi.cgi.

prevent

Enforces access restrictions on the /cgi-bin/cstecgi.cgi endpoint so only explicitly authorized subjects can invoke the vulnerable function.

prevent

Restricts network access to the router's management interface, reducing the remote attack surface for the publicly disclosed exploit.

References