Login Sign Up

CVE-2025-44655

9.8 CRITICAL

📋 TL;DR

This vulnerability in TOTOLink routers allows attackers to bypass FTP directory restrictions due to misconfigured vsftpd settings. Attackers can access system files, escalate privileges, or use the compromised device to attack internal networks. Users of TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9 routers are affected.

💻 Affected Systems

Products:
  • TOTOLink A7100RU
  • TOTOLink A950RG
  • TOTOLink T10
Versions: A7100RU V7.4, A950RG V5.9, T10 V5.9
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires FTP service to be enabled and accessible. The chroot_local_user option being enabled in vsftpd.conf is the specific misconfiguration.

📦 What is this software?

A7100ru Firmware by Totolink

View all CVEs affecting A7100ru Firmware →

A950rg Firmware by Totolink

View all CVEs affecting A950rg Firmware →

T10 Firmware by Totolink

View all CVEs affecting T10 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to complete router takeover, credential theft, lateral movement to internal networks, and persistent backdoor installation.

🟠

Likely Case

Unauthorized access to sensitive system files, configuration extraction, and potential privilege escalation to root.

🟢

If Mitigated

Limited impact if FTP service is disabled or properly firewalled, though the vulnerability remains present.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, and FTP services may be exposed to external attackers.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they gain network access, though external exposure is more concerning.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires FTP access but is straightforward once access is obtained. The GitHub gist provides technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://totolink.com

Restart Required: Yes

Instructions:

1. Check TOTOLink website for firmware updates. 2. Download appropriate firmware for your model. 3. Upload via router admin interface. 4. Reboot router after update.

🔧 Temporary Workarounds

Disable FTP Service

all

Completely disable the FTP service if not required.

Check router admin interface for FTP settings and disable

Modify vsftpd Configuration

linux

Change chroot_local_user to NO in vsftpd.conf

Edit /etc/vsftpd.conf
Change 'chroot_local_user=YES' to 'chroot_local_user=NO'
Restart vsftpd service

🧯 If You Can't Patch

  • Disable FTP service entirely through router administration interface
  • Implement strict firewall rules to block FTP access from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if FTP service is enabled and accessible. Examine /etc/vsftpd.conf for 'chroot_local_user=YES' setting.

Check Version:

Check router admin interface or use 'cat /proc/version' via SSH if available

Verify Fix Applied:

Verify 'chroot_local_user=NO' in vsftpd.conf and confirm FTP service is either disabled or properly restricted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual FTP login attempts
  • FTP access to system directories
  • Failed chroot operations in vsftpd logs

Network Indicators:

  • Unexpected FTP traffic to router
  • FTP connections from unusual sources

SIEM Query:

source="vsftpd" AND (event="CHROOT" OR event="ROOT")

📊 Metadata

CVE ID: CVE-2025-44655
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-266
EPSS Score: 0.24% exploit probability (47.4th percentile)
Published: July 21, 2025
Last Updated: August 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44655, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)