Cyber Resilience

CVE-2025-9935

MediumPublic PoC

Published: 04 September 2025

Published
04 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0208 84.3th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9935 is a medium-severity Injection (CWE-74) vulnerability in Totolink N600R Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-9935 is a command injection vulnerability in the TOTOLINK N600R wireless router running firmware version 4.3.0cu.7866_B20220506. It resides in the function sub_4159F8 within the file /web_cste/cgi-bin/cstecgi.cgi and is tracked under CWE-74 and CWE-77. The flaw permits remote manipulation of inputs that are passed to system commands, rated at CVSS 5.5 with a network attack vector and no required privileges or user interaction.

An unauthenticated attacker can send crafted requests over the network to execute arbitrary commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the affected router, with the public exploit code already available for reuse.

Public references document the issue through a detailed proof-of-concept on GitHub along with entries on VulDB, while the vendor site offers no specific mitigation guidance in the supplied references. The associated EPSS score remains low, moving only from 0.0208 to a peak of 0.0273.

EU & UK References

Vulnerability details

A vulnerability was determined in TOTOLINK N600R 4.3.0cu.7866_B20220506. This vulnerability affects the function sub_4159F8 of the file /web_cste/cgi-bin/cstecgi.cgi. Executing manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be…

more

utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote unauthorized command injection via public-facing web CGI on network device router enables exploitation of public-facing application (T1190), network device CLI command execution (T1059.008), and indirect command execution (T1202).

CVEs Like This One

CVE-2025-51390Same product: Totolink N600R
CVE-2025-11444Same product: Totolink N600R
CVE-2025-7615Same vendor: Totolink
CVE-2025-7614Same vendor: Totolink
CVE-2026-5020Same vendor: Totolink
CVE-2026-1548Same vendor: Totolink
CVE-2026-1326Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink
CVE-2026-1150Same vendor: Totolink

Affected Assets

totolink
n600r firmware
4.3.0cu.7866_b20220506

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation of inputs to the vulnerable sub_4159F8 function in cstecgi.cgi.

prevent

Remediates the specific command injection flaw through timely firmware updates or patches from the vendor.

preventdetect

Monitors and controls external access to the remotely exploitable web CGI endpoint, limiting exposure to unauthenticated attackers.

References