CVE-2025-4849

Name of the Vulnerable Software and Affected Versions: TOTOLINK N300RH version 6.1c.1390 B20191101

Description: A critical issue affects the function CloudACMunualUpdateUserdata of the file "/cgi-bin/cstecgi.cgi". The manipulation of the url argument leads to command injection. This issue can be exploited remotely.

Recommendations: For TOTOLINK N300RH version 6.1c.1390 B20191101, as a temporary workaround, consider disabling the CloudACMunualUpdateUserdata function until a patch is available. Restrict access to the "/cgi-bin/cstecgi.cgi" file to minimize the risk of exploitation. Avoid using the url argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.