CVE-2025-44836 – This command injection vulnerability in TOTOLIN... (How to Fix)

Q: What is the severity of CVE-2025-44836?

CVE-2025-44836 has a CVSS score of 6.3 (MEDIUM). This command injection vulnerability in TOTOLINK CP900 routers allows attackers to execute arbitrary system commands by manipulating the hour or minute parameters in the setApRebootScheCfg function. Attackers can gain unauthorized access, modify configurations, or launch further attacks. All users running the vulnerable firmware version are affected.

📋 TL;DR

This command injection vulnerability in TOTOLINK CP900 routers allows attackers to execute arbitrary system commands by manipulating the hour or minute parameters in the setApRebootScheCfg function. Attackers can gain unauthorized access, modify configurations, or launch further attacks. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:

TOTOLINK CPE CP900

Versions: V6.3c.1144_B20190715

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Cp900 Firmware by Totolink

View all CVEs affecting Cp900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, pivot to internal networks, intercept traffic, or brick the device.

🟠

Likely Case

Unauthorized configuration changes, credential theft, or use as a foothold for further network attacks.

🟢

If Mitigated

Limited impact if device is isolated, has restricted network access, and proper input validation is implemented.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to the web interface; command injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Disable remote administration

all

Prevents external attackers from accessing the vulnerable interface.

Log into admin interface → System Tools → Remote Management → Disable

Restrict admin interface access

all

Limit which IP addresses can access the router's admin interface.

Log into admin interface → Security → Access Control → Add allowed IPs only

🧯 If You Can't Patch

Isolate the device in a separate VLAN with strict firewall rules
Implement network monitoring for unusual traffic patterns from the router

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or Firmware Upgrade section.

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version has changed from V6.3c.1144_B20190715 to a newer version.

📡 Detection & Monitoring

Log Indicators:

Unusual commands in system logs
Multiple failed login attempts followed by successful login
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic to unexpected destinations
Port scanning originating from router

SIEM Query:

source="router.log" AND ("command injection" OR "setApRebootScheCfg" OR unusual shell commands)

📊 Metadata

CVE ID: CVE-2025-44836

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

EPSS Score: 5.77% exploit probability (90.3th percentile)

Published: May 1, 2025

Last Updated: May 22, 2025

🔗 References

https://github.com/n0wstr/IOTVuln/tree/main/CP900/setApRebootScheCfg Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44836, you might also want to check these: