CVE-2022-25135

Name of the Vulnerable Software and Affected Versions TOTOLINK Technology router T6 V3 Firmware version T6 V3 V4.1.5cu.748 B20211015

Description A command injection issue in the recv mesh info sync function allows attackers to execute arbitrary commands via a crafted MQTT packet. This can be exploited by sending a specially crafted packet to the vulnerable function, potentially leading to unauthorized access and control.

Recommendations For TOTOLINK Technology router T6 V3 Firmware version T6 V3 V4.1.5cu.748 B20211015, consider disabling the recv mesh info sync function until a patch is available to prevent exploitation via crafted MQTT packets. Restrict access to the MQTT endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.