CVE-2025-44836
Description
TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setApRebootScheCfg function via the hour or minute parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TOTOLINK CPE CP900 V6.3c.1144_B20190715 has a command injection in setApRebootScheCfg via hour/minute parameters, allowing unauthenticated remote code execution.
Vulnerability
The setApRebootScheCfg function in TOTOLINK CPE CP900 firmware version V6.3c.1144_B20190715 contains a command injection vulnerability. The function retrieves user-supplied hour and minute parameters via websGetVar and directly incorporates them into a sprintf call that builds a command string: sprintf(v19, "echo '%s %s * * %s reboot ‐f'>> /etc/crontabs/root", v7, v6, v21);. This string is then passed to CsteSystem for execution without sanitization. The vulnerability is reachable via a POST request to /cgi-bin/cstecgi.cgi with the topicurl setting/setApRebootScheCfg. [1]
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the device's web interface. No authentication is required as the function is accessible without prior login. The attacker includes malicious shell metacharacters (e.g., backticks or semicolons) in the hour or minute parameters. For example, the reference shows a payload where hour is set to '1;pwd' and minute to '2;pwd', which results in the pwd command being executed on the device. The command injection occurs because the unsanitized input is placed directly into a shell command that is executed via CsteSystem. [1]
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the affected device with root privileges (since the web server runs as root). This can lead to full compromise of the device, including data exfiltration, installation of malware, or use of the device as a pivot point in further attacks. The impact is high due to the lack of authentication and the criticality of the device as a network gateway.
Mitigation
As of the publication date (2025-05-01), no official patch has been released by TOTOLINK. Users are advised to restrict network access to the device's web interface to trusted networks only, or disable remote management if not required. The device may be end-of-life; users should consider replacing it with a supported model. No workaround is available that fully mitigates the vulnerability without disabling functionality. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.