CVE-2025-60687 – An unauthenticated command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-60687?

CVE-2025-60687 has a CVSS score of 6.5 (MEDIUM). An unauthenticated command injection vulnerability in ToToLink LR1200GB routers allows attackers to execute arbitrary system commands by sending malicious IMEI parameters in web requests. This affects all users of the vulnerable router firmware who have the web interface accessible. Attackers can gain complete control of the router without any authentication.

📋 TL;DR

An unauthenticated command injection vulnerability in ToToLink LR1200GB routers allows attackers to execute arbitrary system commands by sending malicious IMEI parameters in web requests. This affects all users of the vulnerable router firmware who have the web interface accessible. Attackers can gain complete control of the router without any authentication.

💻 Affected Systems

Products:

ToToLink LR1200GB Router

Versions: Firmware V9.1.0u.6619_B20230130

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the cstecgi.cgi binary's sub_41EC68 function which handles IMEI parameter validation.

📦 What is this software?

Lr1200gb Firmware by Totolink

View all CVEs affecting Lr1200gb Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to network infiltration, credential theft, man-in-the-middle attacks, and persistent backdoor installation.

🟠

Likely Case

Router takeover for botnet recruitment, DNS hijacking, or credential harvesting from connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with no external web interface access.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and affects the web interface which is often exposed to the internet on routers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal devices could exploit this to pivot through the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists on GitHub. Exploitation requires only a crafted HTTP request with malicious IMEI parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check ToToLink website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Access router admin panel → Advanced Settings → Remote Management → Disable

Network Segmentation

all

Isolate router management interface from untrusted networks

Configure firewall rules to block external access to router IP on ports 80/443

🧯 If You Can't Patch

Replace affected routers with different models that receive security updates
Implement strict network monitoring and intrusion detection for suspicious router traffic

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface or attempt exploitation with test payload (caution: may trigger detection).

Check Version:

curl -s http://router-ip/ | grep -i firmware or check router admin interface

Verify Fix Applied:

Verify firmware version is newer than V9.1.0u.6619_B20230130 and test exploitation fails.

📡 Detection & Monitoring

Log Indicators:

Unusual IMEI parameter values in web logs
System command execution from web process
Multiple failed authentication attempts followed by successful command execution

Network Indicators:

HTTP requests to cstecgi.cgi with IMEI parameter containing shell metacharacters
Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND (uri="*cstecgi.cgi*" AND param="*imei=*" AND (param="*;*" OR param="*|*" OR param="*`*" OR param="*$(*"))

📊 Metadata

CVE ID: CVE-2025-60687

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 9.6% exploit probability (92.7th percentile)

Published: November 13, 2025

Last Updated: November 19, 2025

🔗 References

http://totolink.com Broken Link
https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60687.md Exploit,Third Party Advisory
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60687, you might also want to check these: