CVE-2025-44846 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-44846?

CVE-2025-44846 has a CVSS score of 6.3 (MEDIUM). This CVE describes a command injection vulnerability in TOTOLINK CA600-PoE routers that allows attackers to execute arbitrary commands via the fwUrl parameter in the recvUpgradeNewFw function. Attackers can exploit this to gain unauthorized access, modify device configurations, or launch further attacks. Organizations using affected TOTOLINK CA600-PoE routers are at risk.

📋 TL;DR

This CVE describes a command injection vulnerability in TOTOLINK CA600-PoE routers that allows attackers to execute arbitrary commands via the fwUrl parameter in the recvUpgradeNewFw function. Attackers can exploit this to gain unauthorized access, modify device configurations, or launch further attacks. Organizations using affected TOTOLINK CA600-PoE routers are at risk.

💻 Affected Systems

Products:

TOTOLINK CA600-PoE

Versions: V5.3c.6665_B20180820

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: This appears to be a specific firmware version for this router model. Other versions may also be affected but not confirmed.

📦 What is this software?

Ca600 Poe Firmware by Totolink

View all CVEs affecting Ca600 Poe Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept network traffic, or brick devices.

🟠

Likely Case

Unauthorized command execution leading to device configuration changes, credential theft, or use as a foothold for lateral movement.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and command execution is restricted via security controls.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the vulnerability can be exploited remotely via crafted requests.

🏢 Internal Only: MEDIUM - Internal exploitation requires network access but could still lead to significant impact if devices are not segmented.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The GitHub reference includes technical details that could facilitate exploitation. Command injection vulnerabilities are typically easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch is currently documented. Check TOTOLINK's official website for firmware updates and security advisories.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected routers in a separate VLAN with strict firewall rules to limit attack surface.

Disable Unnecessary Services

all

Disable remote firmware upgrade functionality if not required for operations.

🧯 If You Can't Patch

Implement strict network access controls to limit traffic to affected devices only from trusted sources.
Monitor network traffic for unusual patterns and implement intrusion detection rules for command injection attempts.

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface or SSH. If version is V5.3c.6665_B20180820, device is vulnerable.

Check Version:

Login to router admin interface and check firmware version in System Status or similar section.

Verify Fix Applied:

Verify firmware has been updated to a version newer than V5.3c.6665_B20180820 and test recvUpgradeNewFw function with controlled inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual firmware upgrade requests
Suspicious commands in system logs
Failed authentication attempts followed by upgrade requests

Network Indicators:

HTTP POST requests to upgrade endpoints with unusual parameters
Outbound connections from router to unexpected destinations

SIEM Query:

source="router_logs" AND (event="firmware_upgrade" OR event="command_execution") AND (param="fwUrl" OR command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2025-44846

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

EPSS Score: 5.77% exploit probability (90.3th percentile)

Published: May 1, 2025

Last Updated: May 22, 2025

🔗 References

https://github.com/Summermu/VulnForIoT/tree/main/Totolink_CA600-PoE/recvUpgradeNewFw/readme.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-44846, you might also want to check these: