CVE-2025-14586

MediumPublic PoC

Published: 13 December 2025

Published

13 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0171 82.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has…

been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection flaw in the snprintf function of cstecgi.cgi by requiring timely patching of the TOTOLINK firmware.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes the User argument to the exportOvpn endpoint, preventing malicious input from triggering command injection.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the CGI process handling user input, limiting the impact and scope of any successful command injection.

Security SummaryAI

CVE-2025-14586 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the TOTOLINK X5000R router on firmware version 9.1.0cu.2089_B20211224. The flaw exists in the snprintf function of the /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user endpoint, where manipulation of the "User" argument triggers command injection.

Remote exploitation is possible by attackers with low privileges over the network (AV:N/AC:L/PR:L/UI:N), requiring no user interaction and maintaining unchanged scope. Successful attacks yield low impacts on confidentiality, integrity, and availability (CVSS 6.3), allowing arbitrary OS command execution.

VulDB advisories detail the issue and reference a publicly disclosed proof-of-concept exploit on GitHub. The vendor's site at totolink.net is listed, but no specific patches or mitigations are outlined in the provided references.

The exploit has been publicly disclosed and may be utilized, heightening the risk of real-world attacks on unpatched devices.

Details

CWE(s): CWE-77 CWE-78

Affected Products

totolink

x5000r firmware

9.1.0cu.2089_b20211224

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1202 Indirect Command Execution Stealth

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

attack.mitre.org →

Why these techniques?

Public-facing CGI vulnerability enables remote exploitation (T1190). Allows OS command injection via snprintf/system() on embedded Linux router, facilitating Unix Shell execution (T1059.004) and indirect command execution (T1202) as noted in advisories.

References

https://github.com/awigwu76/TOTOLINK_X5000R/blob/main/1.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.336206
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.336206
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.705593
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com