CVE-2025-13184
BaseFortify
Publication date: 2025-12-10
Last updated on: 2025-12-19
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | x5000r_firmware | 9.1.0u.6369_b20230113 |
| totolink | x5000r | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13184 is a critical authentication bypass vulnerability in the TOTOLINK X5000R router's web server CGI binary (cstecgi.cgi). An attacker can send a specially crafted HTTP request with the parameter 'action=telnet' which bypasses the normal login authentication. This request enables the Telnet service without requiring a password, allowing the attacker to gain unauthenticated root shell access on the device. The exploit relies on matching a 'code' parameter to the system date and uses an empty password, which is the default on factory-reset devices. [1]
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker on the local network, or potentially from the WAN if the router's web interface is exposed, to gain full root access to the TOTOLINK X5000R router. With root privileges, the attacker can execute arbitrary commands, control the device, intercept or manipulate network traffic, and compromise the security and privacy of all devices connected to the router. This poses a severe security risk including potential network takeover and data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected Telnet (TCP port 23) traffic on your network, as the exploit enables Telnet service without authentication. Additionally, you can test if the router is vulnerable by sending a crafted HTTP request to the router's cstecgi.cgi endpoint with the parameters action=telnet, enable=1, password= (empty), and code matching the current date in MMDDYYYY format. For example, using curl: ``` ROUTER_IP="192.168.0.1" CODE=$(date +%m%d%Y) curl "http://${ROUTER_IP}/cgi-bin/cstecgi.cgi?action=telnet&enable=1&password=&code=${CODE}" ``` If Telnet port 23 opens and allows root login without a password, the device is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Do not expose the router's web interface to the WAN; segment your network to restrict access to the router's management interface. 2) Monitor and block unexpected traffic on TCP port 23 (Telnet). 3) Consider flashing alternative firmware such as OpenWrt that supports the X5000R hardware and is not vulnerable. 4) If possible, disable Telnet service manually and change default passwords to strong ones. Since no official firmware patch was available before public disclosure, these steps help reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated root access to the TOTOLINK X5000R router, enabling arbitrary command execution and full control over the device. Such unauthorized access can lead to data breaches, unauthorized data access, and compromise of network security, which negatively impacts compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data. Failure to secure network devices against such vulnerabilities may result in non-compliance with these regulations due to inadequate security controls. [1]