CVE-2025-4851 – This critical vulnerability in TOTOLINK N300RH ... (How to Fix)

Q: What is the severity of CVE-2025-4851?

CVE-2025-4851 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in TOTOLINK N300RH routers allows remote attackers to execute arbitrary commands by manipulating the FileName parameter in the setUploadUserData function. Attackers can exploit this command injection flaw to gain control of affected devices. All users running vulnerable firmware versions are at risk.

📋 TL;DR

This critical vulnerability in TOTOLINK N300RH routers allows remote attackers to execute arbitrary commands by manipulating the FileName parameter in the setUploadUserData function. Attackers can exploit this command injection flaw to gain control of affected devices. All users running vulnerable firmware versions are at risk.

💻 Affected Systems

Products:

TOTOLINK N300RH

Versions: 6.1c.1390_B20191101

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface accessible via HTTP/HTTPS. All devices with this firmware version are vulnerable.

📦 What is this software?

N300rh Firmware by Totolink

View all CVEs affecting N300rh Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, and network reconnaissance.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication, making exposed devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Access Restriction

linux

Block external access to router management interface

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off remote administration features in router settings

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for unusual outbound connections from routers

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 6.1c.1390_B20191101, device is vulnerable.

Check Version:

curl -s http://router-ip/cgi-bin/cstecgi.cgi | grep version or check web interface

Verify Fix Applied:

After firmware update, verify version has changed from vulnerable version. Test if exploit payloads no longer work.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/cstecgi.cgi with FileName parameter containing shell metacharacters
Failed authentication attempts followed by command injection attempts

Network Indicators:

HTTP requests containing shell commands in parameters
Unusual outbound connections from router to external IPs

SIEM Query:

source="router_logs" AND uri="/cgi-bin/cstecgi.cgi" AND (FileName="*;*" OR FileName="*|*" OR FileName="*`*" OR FileName="*$(*")

📊 Metadata

CVE ID: CVE-2025-4851

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 1.16% exploit probability (78.3th percentile)

Published: May 18, 2025

Last Updated: May 24, 2025

🔗 References

https://github.com/CH13hh/tmp_store_cc/blob/main/tt/ta/m3.md Broken Link
https://vuldb.com/?ctiid.309322 Permissions Required,VDB Entry
https://vuldb.com/?id.309322 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.575074 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4851, you might also want to check these: