CVE-2025-13184 – This critical vulnerability allows unauthentica... (How to Fix)

Q: What is the severity of CVE-2025-13184?

CVE-2025-13184 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability allows unauthenticated attackers to enable Telnet service and gain root access with blank password on Totolink X5000R routers. Attackers can execute arbitrary commands as root, completely compromising affected devices. Users of Totolink X5000R AX1800 routers with vulnerable firmware are affected.

📋 TL;DR

This critical vulnerability allows unauthenticated attackers to enable Telnet service and gain root access with blank password on Totolink X5000R routers. Attackers can execute arbitrary commands as root, completely compromising affected devices. Users of Totolink X5000R AX1800 routers with vulnerable firmware are affected.

💻 Affected Systems

Products:

Totolink X5000R AX1800 Router

Versions: V9.1.0u.6369_B20230113 and earlier versions with same implementation

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Factory reset devices are particularly vulnerable. Other Totolink models may share vulnerable codebase.

📦 What is this software?

X5000r Firmware by Totolink

View all CVEs affecting X5000r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and use device as botnet node.

🟠

Likely Case

Router compromise leading to credential theft, DNS hijacking, man-in-the-middle attacks, and network surveillance.

🟢

If Mitigated

Limited impact if device is behind firewall with no internet exposure and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Direct internet exposure makes routers immediately exploitable by automated scanners.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot through networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to cstecgi.cgi with specific parameters enables Telnet and grants root access. Exploit requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check Totolink website for firmware updates 2. If update available, download and flash firmware 3. Factory reset after update 4. Change all default credentials

🔧 Temporary Workarounds

Disable WAN management

all

Prevent external access to router management interface

Block cstecgi.cgi access

linux

Use firewall rules to block access to vulnerable endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "cstecgi.cgi" --algo bm -j DROP

🧯 If You Can't Patch

Replace affected routers with different vendor/model
Place routers behind dedicated firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[router-ip]/cstecgi.cgi?action=telnet&enable=1 and check if Telnet becomes accessible on port 23

Check Version:

Check router web interface or use nmap -sV -p 80 [router-ip] to identify firmware version

Verify Fix Applied:

Verify cstecgi.cgi endpoint no longer accepts telnet enablement commands and Telnet service remains disabled

📡 Detection & Monitoring

Log Indicators:

HTTP requests to cstecgi.cgi with telnet parameters
Unexpected Telnet service activation
Failed authentication attempts followed by successful root login

Network Indicators:

Port 23 (Telnet) opening unexpectedly
HTTP POST/GET requests to cstecgi.cgi endpoint
Unusual outbound connections from router

SIEM Query:

source="router.logs" AND (uri="*cstecgi.cgi*" OR port=23)

📊 Metadata

CVE ID: CVE-2025-13184

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

EPSS Score: 0.58% exploit probability (68.5th percentile)

Published: December 10, 2025

Last Updated: December 19, 2025

🔗 References

https://hackingbydoing.wixsite.com/hackingbydoing/post/totolink-x5000r-ax1800-router-authentication-bypass Exploit,Third Party Advisory
https://www.kb.cert.org/vuls/id/821724 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13184, you might also want to check these: