CVE-2025-44854

Vulnerability

The TOTOLINK CP900 router running firmware version V6.3c.1144_B20190715 contains a command injection vulnerability in the setUpgradeUboot function. The FileName parameter, passed via a POST request to /cgi-bin/cstecgi.cgi with the topicurl setting/setUpgradeUboot, is not properly sanitized before being used in a system command. This allows an attacker to inject arbitrary operating system commands by including shell metacharacters (e.g., ;) in the FileName value. The vulnerability is reachable through the device's web interface without requiring prior authentication, as demonstrated by the proof-of-concept request [1].

Exploitation

An attacker with network access to the TOTOLINK CP900 can exploit this vulnerability by sending a crafted HTTP POST request to the device's CGI endpoint. The request must include a valid SESSION_ID cookie (which may be obtained from a legitimate session or by exploiting default credentials) and a JSON payload containing the topicurl set to setting/setUpgradeUboot and a FileName parameter with injected commands. For example, the payload "FileName": "1;pwd" executes the pwd command after the intended file name. The attacker does not need any special privileges beyond network connectivity and a valid session cookie [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the underlying operating system with the privileges of the web server process, typically root. This leads to full compromise of the router, including the ability to modify configuration, exfiltrate sensitive data, install malware, or use the device as a pivot point for further attacks on the local network. The impact is severe as it affects the core functionality of the device and can be achieved remotely without user interaction [1].

Mitigation

As of the publication date, no official patch or firmware update has been released by TOTOLINK to address this vulnerability. The affected firmware version V6.3c.1144_B20190715 is likely end-of-life, and no workaround is available. Users are advised to isolate the device from untrusted networks, disable remote management if possible, and consider replacing the router with a supported model that receives security updates [1].