CVE-2025-44861 is a command injection vulnerability identified in the TOTOLINK CA300-POE router firmware version V6.2c.884_B20180522. The vulnerability exists within the CloudSrvUserdataVersionCheck function, specifically exploitable via the 'url' parameter. Command injection vulnerabilities (classified under CWE-77) allow an attacker to inject and execute arbitrary operating system commands on the affected device. In this case, an attacker can craft a malicious HTTP request containing a specially formed 'url' parameter that the vulnerable function processes without proper sanitization or validation, leading to execution of unintended commands. The CVSS v3.1 base score is 6.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts confidentiality, integrity, and availability to a limited extent. No known public exploits have been reported yet, and no patches or vendor advisories are currently available. The vulnerability affects a specific firmware version of the TOTOLINK CA300-POE device, a Power over Ethernet (PoE) router commonly used in small to medium business and enterprise network environments to provide network connectivity and power to devices such as IP cameras and access points. Exploitation could allow an attacker with authenticated access to execute arbitrary commands on the router, potentially leading to unauthorized control, data leakage, network disruption, or pivoting to internal networks. Given the nature of the device, this could impact network infrastructure stability and security posture.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on TOTOLINK CA300-POE routers in their network infrastructure. Successful exploitation could lead to partial compromise of network devices, allowing attackers to manipulate routing, intercept or alter traffic, or disrupt network availability. This could affect confidentiality by exposing sensitive network configuration or traffic data, integrity by allowing unauthorized changes to device settings or firmware, and availability by causing device malfunctions or denial of service. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, critical infrastructure) could face regulatory and operational risks. Moreover, attackers could use compromised routers as footholds to launch further attacks within corporate networks. The requirement for low privileges (authenticated user) means insider threats or compromised credentials could facilitate exploitation. The absence of public exploits currently reduces immediate risk, but the medium severity score and ease of exploitation warrant proactive mitigation. The lack of vendor patches increases exposure duration, emphasizing the need for compensating controls.

1. Immediate mitigation should focus on restricting access to the management interfaces of TOTOLINK CA300-POE devices, ensuring that only trusted and authenticated personnel can reach the affected function. This includes network segmentation and firewall rules to limit administrative access to internal networks or VPNs. 2. Enforce strong authentication mechanisms and regularly rotate credentials to reduce the risk of credential compromise. 3. Monitor network traffic and device logs for unusual or unauthorized command execution attempts, particularly requests targeting the 'url' parameter in the CloudSrvUserdataVersionCheck function. 4. If possible, disable or restrict the vulnerable functionality if it is not essential for operations. 5. Engage with TOTOLINK or authorized vendors to obtain firmware updates or patches as soon as they become available. 6. Implement network-level intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect command injection patterns targeting this vulnerability. 7. Conduct internal audits to identify all instances of the affected device model and firmware version to prioritize remediation efforts. 8. Educate network administrators about the vulnerability and the importance of limiting exposure of device management interfaces. 9. Consider deploying compensating controls such as endpoint protection on devices connected to the network to detect lateral movement attempts originating from compromised routers.