Login Sign Up

CVE-2025-55893

6.5 MEDIUM
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK N200RE routers by injecting malicious input into the hostName parameter of the setOpModeCfg function. Attackers can gain full control of affected devices, potentially compromising network security. Only users of specific TOTOLINK router models with vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TOTOLINK N200RE
Versions: V9.3.5u.6437_B20230519
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with web management interface accessible. May affect other TOTOLINK models with similar firmware.

📦 What is this software?

N200re Firmware by Totolink

View all CVEs affecting N200re Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to persistent backdoor installation, network traffic interception, lateral movement to other devices, and participation in botnets.

🟠

Likely Case

Router compromise allowing attackers to modify network settings, intercept traffic, and use the device as a pivot point for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and command injection protections are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication to the router's web interface. Proof-of-concept available in public repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware for N200RE. 3. Log into router web interface. 4. Navigate to System Tools > Firmware Upgrade. 5. Upload new firmware file. 6. Wait for automatic reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Input Validation via Firewall

linux

Block requests containing command injection patterns

iptables -A INPUT -p tcp --dport 80 -m string --string "hostName" --algo bm -j DROP

🧯 If You Can't Patch

  • Isolate affected routers in separate VLAN with strict access controls
  • Implement network segmentation to limit lateral movement potential

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Status > Firmware Version

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep -i firmware

Verify Fix Applied:

Verify firmware version has been updated to a version later than V9.3.5u.6437_B20230519

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to setOpModeCfg endpoint
  • Commands containing semicolons, pipes, or backticks in hostName parameter

Network Indicators:

  • Unusual outbound connections from router to unknown IPs
  • Traffic patterns suggesting command-and-control communication

SIEM Query:

source="router.log" AND ("setOpModeCfg" OR "hostName") AND ("|" OR ";" OR "`" OR "$")

📊 Metadata

CVE ID: CVE-2025-55893
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-77
EPSS Score: 0.56% exploit probability (67.9th percentile)
Published: December 15, 2025
Last Updated: December 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55893, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)