CVE-2025-44846 is a command injection vulnerability identified in the TOTOLINK CA600-PoE router firmware version V5.3c.6665_B20180820. The flaw exists in the recvUpgradeNewFw function, which processes firmware upgrade requests. Specifically, the vulnerability arises from improper sanitization of the fwUrl parameter, allowing an attacker to inject and execute arbitrary system commands remotely. Exploitation requires sending a crafted request to the vulnerable device, leveraging network access (remote attack vector) with low attack complexity. The vulnerability requires privileges equivalent to a user with some level of authorization (PR:L), but does not require user interaction (UI:N). The CVSS 3.1 base score is 6.3 (medium severity), reflecting limited confidentiality, integrity, and availability impacts (each rated low) but with a network attack vector and low complexity. The CWE-77 classification confirms this is a command injection issue, which can lead to unauthorized command execution on the device's underlying operating system. No known exploits are currently reported in the wild, and no patches or vendor advisories have been published yet. The vulnerability affects a specific TOTOLINK router model commonly used in small to medium enterprise and home office environments, particularly where Power over Ethernet (PoE) functionality is required. Given the nature of the vulnerability, successful exploitation could allow attackers to manipulate device configurations, disrupt network traffic, or pivot into internal networks, potentially compromising connected systems.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on TOTOLINK CA600-PoE routers in their network infrastructure. Compromise of these devices could lead to unauthorized command execution, allowing attackers to alter network configurations, intercept or redirect traffic, or launch further attacks within the internal network. This could result in partial loss of confidentiality (e.g., interception of sensitive data), integrity (e.g., tampering with network settings or firmware), and availability (e.g., denial of service by disrupting router functionality). Organizations in sectors such as small and medium enterprises, educational institutions, and remote offices that deploy these routers without strict network segmentation or monitoring are particularly at risk. Additionally, the requirement for some privilege level (PR:L) suggests that attackers may need to have limited access or credentials, which could be obtained via phishing or other means, increasing the attack surface. The absence of user interaction lowers the barrier for automated exploitation once access is gained. Given the router’s role as a network gateway, exploitation could facilitate lateral movement and data exfiltration, impacting business continuity and regulatory compliance under GDPR.

1. Immediate mitigation should include isolating TOTOLINK CA600-PoE devices from untrusted networks and restricting management interfaces to trusted IP addresses only. 2. Implement strict network segmentation to limit the exposure of these routers to potential attackers. 3. Monitor network traffic for unusual requests targeting firmware upgrade endpoints, especially those containing suspicious fwUrl parameters. 4. Enforce strong authentication mechanisms and regularly audit credentials to reduce the risk of privilege escalation that could enable exploitation. 5. Where possible, disable remote firmware upgrade functionality until a vendor patch is available. 6. Engage with TOTOLINK support channels to obtain firmware updates or patches addressing this vulnerability. 7. Employ intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect command injection attempts targeting the recvUpgradeNewFw function. 8. Conduct regular vulnerability assessments and penetration tests focusing on network devices to identify and remediate similar weaknesses proactively.