CVE-2025-6620
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-25
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-06-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6620
EUVD
EUVD-2025-19183
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
totolink ca300-poe_firmware 6.2c.884
totolink ca300-poe *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-6620 is an OS command injection vulnerability in the TOTOLINK CA300-PoE router firmware version 6.2c.884. It exists in the function setUpgradeUboot within the upgrade.so file, where the FileName parameter is not properly validated or sanitized. This allows a remote attacker to inject arbitrary operating system commands by manipulating the FileName argument, leading to unauthorized command execution on the device. [1, 2]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized remote execution of arbitrary OS commands on the affected device. This can compromise the confidentiality, integrity, and availability of the device, potentially allowing attackers to take control of the router, disrupt network services, or access sensitive information. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

No known mitigations or countermeasures have been identified for this vulnerability. It is suggested to replace the affected TOTOLINK CA300-PoE device running firmware version 6.2c.884 with an alternative product to mitigate the risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart