CVE-2025-9935
Published: 04 September 2025
Summary
CVE-2025-9935 is a high-severity Injection (CWE-74) vulnerability in Totolink N600R Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation of inputs to the vulnerable sub_4159F8 function in cstecgi.cgi.
Remediates the specific command injection flaw through timely firmware updates or patches from the vendor.
Monitors and controls external access to the remotely exploitable web CGI endpoint, limiting exposure to unauthenticated attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthorized command injection via public-facing web CGI on network device router enables exploitation of public-facing application (T1190), network device CLI command execution (T1059.008), and indirect command execution (T1202).
NVD Description
A vulnerability was determined in TOTOLINK N600R 4.3.0cu.7866_B20220506. This vulnerability affects the function sub_4159F8 of the file /web_cste/cgi-bin/cstecgi.cgi. Executing manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be…
more
utilized.
Deeper analysisAI
CVE-2025-9935 is a command injection vulnerability affecting the TOTOLINK N600R router on firmware version 4.3.0cu.7866_B20220506. The flaw exists in the sub_4159F8 function of the /web_cste/cgi-bin/cstecgi.cgi component, where manipulation enables command injection.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows attackers to execute arbitrary commands on the device, potentially resulting in limited impacts to confidentiality, integrity, and availability.
Public advisories and references, including a GitHub repository detailing the unauthorized command injection exploit, VulDB entries (ctiid.322337, id.322337, submit.643088), and the TOTOLINK website, confirm the issue and public disclosure of the exploit. No specific patches are detailed in the provided references; security practitioners should monitor the vendor site for firmware updates or mitigation guidance. The vulnerability maps to CWEs CWE-74 and CWE-77.
Details
- CWE(s)