CVE-2025-44854 is a command injection vulnerability identified in the TOTOLINK CP900 router firmware version V6.3c.1144_B20190715. The vulnerability resides in the setUpgradeUboot function, specifically through the FileName parameter. An attacker can exploit this flaw by sending a crafted request that injects arbitrary commands, which the device executes. This type of vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that the input is not properly sanitized before being passed to a system shell or command interpreter. The CVSS 3.1 base score is 6.3, reflecting a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), does not require user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no patches have been linked yet. TOTOLINK CP900 is a consumer-grade wireless router, commonly used in home and small office environments. The vulnerability allows an attacker with some level of authenticated access to execute arbitrary commands on the device, potentially leading to unauthorized control, data leakage, or disruption of network services. Given the nature of the vulnerability, attackers could leverage it to pivot into internal networks or disrupt connectivity by modifying firmware or configurations.

For European organizations, especially small and medium enterprises (SMEs) and home offices that deploy TOTOLINK CP900 routers, this vulnerability poses a tangible risk. Exploitation could lead to unauthorized command execution, enabling attackers to compromise the router’s integrity and availability. This may result in interception or manipulation of network traffic, disruption of internet connectivity, or use of the compromised device as a foothold for lateral movement within the network. Although the impact on confidentiality is rated low, the integrity and availability impacts could affect business operations, particularly for organizations relying on these routers for critical connectivity. The requirement for low-level privileges means that insider threats or attackers who have gained limited access could escalate their control. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits. Additionally, the lack of an official patch increases exposure time. European organizations with remote or distributed workforces using these devices are particularly vulnerable, as attackers can attempt remote exploitation over the internet or VPNs.

1. Immediate mitigation should focus on restricting access to the router’s management interface, ensuring it is not exposed to untrusted networks or the internet. 2. Enforce strong authentication mechanisms and change default credentials to prevent unauthorized access. 3. Monitor network traffic for unusual activities that may indicate exploitation attempts, such as unexpected command executions or configuration changes. 4. Segment networks to isolate vulnerable devices from critical infrastructure and sensitive data. 5. Implement strict access control policies limiting who can authenticate to the router’s management interface. 6. Regularly audit and update firmware from TOTOLINK as soon as a patch addressing this vulnerability is released. 7. If possible, temporarily replace or upgrade affected devices to models without this vulnerability. 8. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns targeting the setUpgradeUboot function or similar attack vectors. 9. Educate users and administrators about the risks and signs of exploitation to enable rapid response.