CVE-2025-2094
Published: 07 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-2094 is an OS command injection vulnerability in the TOTOLINK EX1800T router firmware version 9.1.0cu.2112_B20220316. The flaw affects the setWiFiExtenderConfig function in the /cgi-bin/cstecgi.cgi file, where manipulation of the apcliKey/key argument enables command injection. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it maps to CWE-77 and CWE-78.
An attacker with low privileges can exploit this remotely by sending a crafted request to the vulnerable endpoint, injecting and executing arbitrary OS commands on the device. This grants limited impacts on confidentiality, integrity, and availability, such as reading or modifying restricted data, altering system behavior, or disrupting services to a minor degree.
Advisories referenced in VULDB entries (ctiid.298952, id.298952, submit.515319) detail the issue and its remote exploitability, while a GitHub repository provides a disclosed proof-of-concept exploit targeting the apcliKey parameter in setWiFiExtenderConfig. The vendor site at totolink.net is listed but offers no specific patch or mitigation details in the available references.
The exploit has been publicly disclosed and may be used against affected devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in public-facing CGI endpoint (setWiFiExtenderConfig) directly enables T1190 via crafted web requests and T1059.004 for arbitrary Unix shell command execution on the router firmware.