CVE-2025-9935 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-9935?

CVE-2025-9935 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK N600R routers via command injection in the web interface. Attackers can take full control of affected devices without authentication. All users running the vulnerable firmware version are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary commands on TOTOLINK N600R routers via command injection in the web interface. Attackers can take full control of affected devices without authentication. All users running the vulnerable firmware version are affected.

💻 Affected Systems

Products:

TOTOLINK N600R

Versions: 4.3.0cu.7866_B20220506

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface accessible via HTTP/HTTPS. No special configuration required.

📦 What is this software?

N600r Firmware by Totolink

View all CVEs affecting N600r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, pivot to internal networks, intercept traffic, or use the device in botnets.

🟠

Likely Case

Device takeover for credential theft, network reconnaissance, or participation in DDoS attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices immediate targets.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this to pivot within networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on GitHub. Attack requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Log into router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable WAN access to web interface

all

Prevent external access to the vulnerable web management interface

Login to router admin → Security/Firewall → Disable remote management/remote access

Network segmentation

all

Isolate router management interface to trusted network segments only

🧯 If You Can't Patch

Replace affected devices with supported models from different vendors
Implement strict network access controls to limit exposure of management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or Firmware Upgrade section

Check Version:

curl -s http://router-ip/cgi-bin/cstecgi.cgi | grep version or check web interface

Verify Fix Applied:

Verify firmware version is newer than 4.3.0cu.7866_B20220506

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /cgi-bin/cstecgi.cgi with shell metacharacters
Unexpected command execution in system logs

Network Indicators:

HTTP requests containing shell commands (;, |, &, $, etc.) to router management port
Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND uri="/cgi-bin/cstecgi.cgi" AND (command="*;*" OR command="*|*" OR command="*&*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2025-9935

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 1.05% exploit probability (77.2th percentile)

Published: September 4, 2025

Last Updated: September 29, 2025

🔗 References

https://github.com/mono7s/TOTOLINK/blob/main/N600R/TOTOLINK%20N600R%20Unauthorized_Command_Injection.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.322337 Permissions Required,VDB Entry
https://vuldb.com/?id.322337 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.643088 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9935, you might also want to check these: