CVE-2025-44847 is a command injection vulnerability identified in the TOTOLINK CA600-PoE router, specifically in firmware version V5.3c.6665_B20180820. The vulnerability exists within the setWebWlanIdx function, which processes the webWlanIdx parameter. An attacker can exploit this flaw by sending a specially crafted request containing malicious input in the webWlanIdx parameter, leading to arbitrary command execution on the device. This type of vulnerability (CWE-77) allows attackers to inject operating system commands that the device executes with the privileges of the affected service. The CVSS 3.1 base score is 6.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality, integrity, and availability to a limited extent. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability could allow an attacker with some level of access to the device’s web interface to execute arbitrary commands, potentially leading to unauthorized control, data leakage, or disruption of network services provided by the router.

For European organizations, this vulnerability poses a significant risk, especially for those relying on TOTOLINK CA600-PoE routers in their network infrastructure. Exploitation could lead to unauthorized command execution, enabling attackers to manipulate network traffic, intercept sensitive data, or disrupt connectivity. This could affect confidentiality by exposing internal network information, integrity by altering configurations or data, and availability by causing denial of service or network outages. Given that the vulnerability requires low privileges but no user interaction, insider threats or compromised credentials could be leveraged to exploit this flaw. Organizations in sectors with critical infrastructure, such as telecommunications, manufacturing, or government networks, could face operational disruptions or data breaches. The lack of available patches increases the window of exposure, emphasizing the urgency of mitigation. Additionally, the PoE (Power over Ethernet) functionality suggests these devices might be powering other network equipment, so compromise could cascade to other connected devices or services.

1. Immediate network segmentation: Isolate TOTOLINK CA600-PoE devices from critical network segments to limit potential lateral movement if compromised. 2. Restrict access: Limit administrative access to the router’s web interface to trusted IP addresses and enforce strong authentication mechanisms, including multi-factor authentication if supported. 3. Monitor logs: Implement enhanced logging and monitoring for unusual commands or access patterns on the affected devices. 4. Firmware update: Engage with TOTOLINK or authorized vendors to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 5. Temporary workaround: If patching is not immediately possible, disable or restrict the vulnerable setWebWlanIdx function or related web interface features if configurable. 6. Credential hygiene: Change default or weak passwords on affected devices and ensure credentials are unique and securely stored. 7. Network traffic inspection: Deploy intrusion detection/prevention systems (IDS/IPS) to detect and block suspicious requests targeting the webWlanIdx parameter. 8. Incident response readiness: Prepare for potential exploitation by having incident response plans tailored to router compromise scenarios.