CVE-2025-61045

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TOTOLINK X18 version V9.1.0cu.2053 B20230309

Description The setEasyMeshAgentCfg function in the TOTOLINK X18 router firmware does not properly sanitize data at the management level when processing the mac parameter. This can allow a remote attacker to execute arbitrary commands. The vulnerability is related to a command injection issue through the mac parameter within the setEasyMeshAgentCfg function.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the setEasyMeshAgentCfg function until a patch is available. Restrict access to the mac parameter in the affected function setEasyMeshAgentCfg() to minimize the risk of exploitation.

Exploit

Fix

RCE

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

BDU:2025-12688

CVE-2025-61045

Affected Products

Totolink X18

CVE-2025-61045

Weakness Enumeration

Related Identifiers

Affected Products

References · 7