CVE-2025-2096
Published: 07 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-2096 is a critical OS command injection vulnerability in the TOTOLINK EX1800T router running firmware version 9.1.0cu.2112_B20220316. The issue resides in the setRebootScheCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the arguments mode, week, minute, or recHour enables arbitrary command execution. Associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with no user interaction required. By crafting malicious requests to the affected CGI endpoint, the attacker injects and executes operating system commands, potentially leading to limited impacts on confidentiality, integrity, and availability, such as data leakage, modification of system settings, or service disruption.
Advisories from VulDB and a public GitHub repository detail the vulnerability and provide a proof-of-concept exploit targeting the setRebootScheCfg endpoint. The manufacturer's website (totolink.net) is referenced, but no specific patches or mitigation guidance are outlined in the available sources; practitioners should monitor for firmware updates from TOTOLINK.
The exploit has been publicly disclosed and is available for use, increasing the risk of targeted attacks against exposed TOTOLINK EX1800T devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote OS command injection in the router's public-facing web CGI interface enables exploitation of public-facing applications (T1190) and execution of arbitrary Unix shell commands on the embedded Linux-based device (T1059.004).