CVE-2025-2096 – This critical vulnerability in TOTOLINK EX1800T... (How to Fix)

Q: What is the severity of CVE-2025-2096?

CVE-2025-2096 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in TOTOLINK EX1800T routers allows remote attackers to execute arbitrary operating system commands through command injection in the setRebootScheCfg function. Attackers can exploit this to gain full control of affected devices. All users of TOTOLINK EX1800T routers with firmware version 9.1.0cu.2112_B20220316 are affected.

📋 TL;DR

This critical vulnerability in TOTOLINK EX1800T routers allows remote attackers to execute arbitrary operating system commands through command injection in the setRebootScheCfg function. Attackers can exploit this to gain full control of affected devices. All users of TOTOLINK EX1800T routers with firmware version 9.1.0cu.2112_B20220316 are affected.

💻 Affected Systems

Products:

TOTOLINK EX1800T

Versions: 9.1.0cu.2112_B20220316

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default web interface configuration. No special configuration is required for exploitation.

📦 What is this software?

Ex1800t Firmware by Totolink

View all CVEs affecting Ex1800t Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept all network traffic, or brick the device.

🟠

Likely Case

Attackers gain shell access to execute commands, potentially installing malware, creating backdoors, or using the device for botnet activities.

🟢

If Mitigated

Limited impact if device is behind strict firewall rules, not internet-facing, and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit code exists, making internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal devices are still vulnerable to authenticated attackers or if attackers gain internal network access through other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub, making this easily weaponizable. The attack requires no authentication and can be executed remotely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to the vulnerable web interface

Access router admin panel -> System -> Remote Management -> Disable

Restrict Web Interface Access

all

Limit access to router admin interface to trusted IPs only

Access router admin panel -> Security -> Access Control -> Add trusted IP ranges

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious traffic to/from router management interface

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System -> Firmware Upgrade. If version is 9.1.0cu.2112_B20220316, device is vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/cstecgi.cgi | grep version

Verify Fix Applied:

After firmware update, verify version has changed from 9.1.0cu.2112_B20220316. Test the setRebootScheCfg endpoint with safe payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/cstecgi.cgi with setRebootScheCfg
Commands containing shell metacharacters in web logs
Multiple failed authentication attempts followed by successful command execution

Network Indicators:

Unusual outbound connections from router to external IPs
Traffic patterns indicating reverse shells
Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND uri="/cgi-bin/cstecgi.cgi" AND (method="POST" OR params CONTAINS "setRebootScheCfg")

📊 Metadata

CVE ID: CVE-2025-2096

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

EPSS Score: 3.72% exploit probability (87.7th percentile)

Published: March 7, 2025

Last Updated: April 3, 2025

🔗 References

https://github.com/kn0sky/cve/blob/main/TOTOLINK%20EX1800T/OS%20Command%20Injection%2004%20setRebootScheCfg-_mode.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.298954 Permissions Required,VDB Entry
https://vuldb.com/?id.298954 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.515322 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product
https://github.com/kn0sky/cve/blob/main/TOTOLINK%20EX1800T/OS%20Command%20Injection%2004%20setRebootScheCfg-_mode.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2096, you might also want to check these: