CVE-2025-7615
BaseFortify
Publication date: 2025-07-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | t6_firmware | v4.1.5cu.748_b20211015 |
| totolink | t6 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7615 is a critical command injection vulnerability in the TOTOLINK Mesh WiFi T6 router firmware version 4.1.5cu.748. It exists in the HTTP POST request handler, specifically in the clearPairCfg function within the /cgi-bin/cstecgi.cgi endpoint. An attacker can send a specially crafted HTTP POST request manipulating the 'ip' argument to inject and execute arbitrary commands remotely on the device without authentication. This occurs due to insufficient input sanitization, allowing remote code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing an attacker to remotely execute arbitrary commands on your TOTOLINK T6 router without authentication. This compromises the confidentiality, integrity, and availability of the device, potentially leading to unauthorized control, data leakage, disruption of network services, or further attacks on connected systems. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /cgi-bin/cstecgi.cgi, specifically looking for requests containing the parameter clearPairCfg with suspicious or malformed ip argument values that may indicate command injection attempts. Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such patterns. For manual detection, you can use tools like curl or wget to test the endpoint with crafted payloads to see if command injection is possible. Example command to test the vulnerability: curl -X POST -d "clearPairCfg=1;id" http://<router-ip>/cgi-bin/cstecgi.cgi - this attempts to inject the 'id' command. Monitoring logs for unexpected command execution or unusual system behavior on the device may also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected TOTOLINK T6 device with a non-vulnerable version or different hardware, as no known mitigations or patches are documented. Restricting network access to the device's management interface to trusted networks only, disabling remote management if possible, and monitoring for suspicious activity can reduce exposure. Applying network-level protections such as firewalls or intrusion prevention systems to block malicious POST requests targeting /cgi-bin/cstecgi.cgi may also help. Since the vulnerability allows remote unauthenticated command injection, urgent replacement or isolation of the device is recommended. [2]