CVE-2025-44848 is a command injection vulnerability identified in the TOTOLINK CA600-PoE router firmware version V5.3c.6665_B20180820. The vulnerability exists in the msg_process function, specifically triggered via the Url parameter. An attacker can exploit this flaw by sending a specially crafted request containing malicious commands embedded within the Url parameter. Due to insufficient input validation or sanitization, these commands are executed on the device, allowing arbitrary command execution. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that the input is not properly sanitized before being passed to a system shell or command interpreter. The CVSS v3.1 base score is 6.5, reflecting a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network without any authentication or user interaction, with low attack complexity. The impact affects confidentiality and integrity but not availability. No patches or vendor advisories are currently available, and no known exploits have been observed in the wild as of the publication date (May 1, 2025). TOTOLINK CA600-PoE is a Power over Ethernet (PoE) capable router commonly used in small to medium enterprise and possibly some industrial or smart building network environments. The ability to execute arbitrary commands remotely can allow attackers to gain control over the device, manipulate network traffic, exfiltrate sensitive data, or pivot to other internal systems, posing a significant security risk if exploited.

For European organizations, this vulnerability poses a tangible risk especially to those deploying TOTOLINK CA600-PoE routers in their network infrastructure. Successful exploitation could lead to unauthorized command execution on network devices, compromising the confidentiality and integrity of network communications and potentially enabling lateral movement within corporate networks. This could result in data breaches, interception or manipulation of network traffic, and disruption of business operations. Given the device’s role as a network gateway, attackers could also establish persistent footholds or launch further attacks against connected systems. Sectors with critical infrastructure or sensitive data, such as finance, manufacturing, and telecommunications, may face heightened risks. The medium severity rating suggests that while exploitation is feasible without authentication, the impact on availability is limited, but the breach of confidentiality and integrity can still have serious consequences. The absence of known exploits in the wild currently provides a window for proactive mitigation before widespread exploitation occurs.

Immediately inventory and identify all TOTOLINK CA600-PoE devices within the network environment, focusing on version V5.3c.6665_B20180820. Isolate affected devices from untrusted networks or restrict management interfaces to trusted internal networks only, using network segmentation and access control lists (ACLs). Implement strict input validation and filtering at network perimeters and on devices where possible to detect and block malicious payloads targeting the Url parameter. Monitor network traffic for anomalous requests containing suspicious Url parameters or command injection patterns using intrusion detection/prevention systems (IDS/IPS). Engage with TOTOLINK or authorized vendors to obtain firmware updates or patches addressing this vulnerability as soon as they become available. If patching is not immediately possible, consider temporary mitigations such as disabling vulnerable services or functions related to the msg_process function if feasible. Conduct regular security audits and penetration testing focusing on network devices to identify and remediate similar command injection vulnerabilities. Educate network administrators on the risks of command injection and the importance of securing network device management interfaces. Establish incident response procedures specifically for network device compromise to quickly contain and remediate any exploitation attempts.