CVE-2025-7525

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TOTOLINK T6 version 4.1.5cu.748 B20211015

Description A critical vulnerability exists in the HTTP POST Request Handler component of the affected software. The vulnerability is located in the setTracerouteCfg function within the /cgi-bin/cstecgi.cgi file. Manipulation of the command argument allows for command injection, and the attack can be initiated remotely. The exploit for this vulnerability has been publicly disclosed and may be used.

Recommendations TOTOLINK T6 version 4.1.5cu.748 B20211015: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-77

Related Identifiers

BDU:2025-08497

CVE-2025-7525

Affected Products

Totolink T6

CVE-2025-7525

Weakness Enumeration

Related Identifiers

Affected Products

References · 15