CVE-2025-44854

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-44854
TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

6.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://github.com/Summermu/VulnForIoT/tree/main/Totolink_CP900/setUpgradeUboot/readme.md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:totolink:cp900_firmware:6.3c.1144_b20190715:*:*:*:*:*:*:*
cpe:2.3:h:totolink:cp900:-:*:*:*:*:*:*:*
History

22 May 2025, 15:32

Type Values Removed Values Added
References () https://github.com/Summermu/VulnForIoT/tree/main/Totolink_CP900/setUpgradeUboot/readme.md - () https://github.com/Summermu/VulnForIoT/tree/main/Totolink_CP900/setUpgradeUboot/readme.md - Exploit, Third Party Advisory
First Time Totolink
Totolink cp900
Totolink cp900 Firmware
CPE cpe:2.3:o:totolink:cp900_firmware:6.3c.1144_b20190715:*:*:*:*:*:*:*
cpe:2.3:h:totolink:cp900:-:*:*:*:*:*:*:*

02 May 2025, 13:53

Type Values Removed Values Added
Summary
  • (es) Se descubrió que TOTOLINK CP900 V6.3c.1144_B20190715 contenía una vulnerabilidad de inyección de comandos en la función setUpgradeUboot mediante el parámetro FileName. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios mediante una solicitud manipulada.

01 May 2025, 21:15

Type Values Removed Values Added
Summary (en) Totolink CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. (en) TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.3
CWE CWE-77

01 May 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-01 14:15

Updated : 2025-05-22 15:32

NVD link : CVE-2025-44854

Mitre link : CVE-2025-44854

CVE.ORG link : CVE-2025-44854

JSON object : View

Products Affected

totolink

  • cp900_firmware
  • cp900
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')