CVE-2025-9935
Published: 04 September 2025
Summary
CVE-2025-9935 is a medium-severity Injection (CWE-74) vulnerability in Totolink N600R Firmware. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-9935 is a command injection vulnerability in the TOTOLINK N600R wireless router running firmware version 4.3.0cu.7866_B20220506. It resides in the function sub_4159F8 within the file /web_cste/cgi-bin/cstecgi.cgi and is tracked under CWE-74 and CWE-77. The flaw permits remote manipulation of inputs that are passed to system commands, rated at CVSS 5.5 with a network attack vector and no required privileges or user interaction.
An unauthenticated attacker can send crafted requests over the network to execute arbitrary commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the affected router, with the public exploit code already available for reuse.
Public references document the issue through a detailed proof-of-concept on GitHub along with entries on VulDB, while the vendor site offers no specific mitigation guidance in the supplied references. The associated EPSS score remains low, moving only from 0.0208 to a peak of 0.0273.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26653
Vulnerability details
A vulnerability was determined in TOTOLINK N600R 4.3.0cu.7866_B20220506. This vulnerability affects the function sub_4159F8 of the file /web_cste/cgi-bin/cstecgi.cgi. Executing manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be…
more
utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthorized command injection via public-facing web CGI on network device router enables exploitation of public-facing application (T1190), network device CLI command execution (T1059.008), and indirect command execution (T1202).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates command injection by requiring validation of inputs to the vulnerable sub_4159F8 function in cstecgi.cgi.
Remediates the specific command injection flaw through timely firmware updates or patches from the vendor.
Monitors and controls external access to the remotely exploitable web CGI endpoint, limiting exposure to unauthenticated attackers.