CVE-2025-44838

Vulnerability

A command injection vulnerability exists in the setUploadUserData function of TOTOLINK CPE CP900 firmware version V6.3c.1144_B20190715. The function retrieves the FileName parameter via websGetVar and passes it unsanitized into a sprintf call that builds a rm -rf command executed by CsteSystem. This allows an attacker to inject arbitrary OS commands by including shell metacharacters in the FileName value [1].

Exploitation

The vulnerability can be triggered remotely over HTTP. An attacker crafts a POST request to /cgi-bin/cstecgi.cgi with a JSON body containing topicurl set to setting/setUploadUserData and FileName set to a value with a command injection payload, such as '1;pwd'. No authentication or prior access is required; the attacker only needs network connectivity to the device's management interface [1].

Impact

Successful exploitation results in arbitrary command execution on the underlying operating system with the privileges of the web server process. This can lead to full device compromise, including disclosure of sensitive data, modification of configuration, or further network attacks [1].

Mitigation

The vendor has not released a patched firmware version as of the publication date (2025-05-01). No workaround is available. Users should consider disabling remote management access or isolating the device from untrusted networks until a fix is provided [1].