CVE-2025-44862 is a command injection vulnerability identified in the TOTOLINK CA300-POE router firmware version V6.2c.884_B20180522. The vulnerability exists in the recvUpgradeNewFw function, specifically via the fwUrl parameter. This parameter is used during the firmware upgrade process, and due to insufficient input validation or sanitization, an attacker can craft a malicious request that injects arbitrary commands. Successful exploitation allows remote attackers to execute arbitrary system commands on the affected device without requiring user interaction. The vulnerability has a CVSS 3.1 base score of 6.3, indicating a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and requires privileges (PR:L), but no user interaction (UI:N). The scope remains unchanged (S:U), and the impact is low to moderate on confidentiality, integrity, and availability (C:L/I:L/A:L). The CWE classification is CWE-77, which corresponds to Improper Neutralization of Special Elements used in a Command ('Command Injection'). No patches or vendor advisories are currently available, and no known exploits have been observed in the wild as of the publication date. The vulnerability affects a specific TOTOLINK router model commonly used in small to medium business and home office environments, particularly for Power over Ethernet (PoE) applications. Exploitation could lead to unauthorized command execution, potentially allowing attackers to manipulate device configurations, intercept or redirect network traffic, or disrupt network availability.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on TOTOLINK CA300-POE routers in their network infrastructure. Compromise of these devices could lead to unauthorized access to internal networks, interception of sensitive data, or disruption of network services. Given the device's role in providing PoE capabilities, critical network endpoints such as VoIP phones, IP cameras, or wireless access points could be indirectly affected. The medium CVSS score reflects moderate risk, but the requirement for low-level privileges (PR:L) suggests that attackers need some form of authenticated access or prior foothold, which somewhat limits the attack surface. However, if default or weak credentials are in use, this barrier could be easily overcome. The lack of user interaction requirement means automated exploitation is feasible once access is obtained. European organizations in sectors such as telecommunications, manufacturing, and critical infrastructure that deploy these routers may face increased risk of espionage, data leakage, or operational disruption. Additionally, the absence of patches increases the window of exposure. The vulnerability could also be leveraged as a pivot point for lateral movement within corporate networks, amplifying its potential impact.

Immediately audit all TOTOLINK CA300-POE devices within the network to identify affected firmware versions. Restrict administrative access to the router's management interfaces by implementing network segmentation and access control lists (ACLs) limiting access to trusted IP addresses only. Enforce strong, unique passwords for device management accounts and disable any default or unused accounts to reduce the risk of privilege escalation. Monitor network traffic for unusual firmware upgrade requests or unexpected outbound connections initiated by the router, which may indicate exploitation attempts. If possible, disable remote firmware upgrade functionality or restrict it to trusted internal sources until a vendor patch is released. Implement network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect command injection attempts targeting the fwUrl parameter. Maintain up-to-date asset inventories and ensure timely application of firmware updates once the vendor releases a patch addressing this vulnerability. Consider deploying compensating controls such as network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data repositories. Educate IT staff about the vulnerability and encourage proactive threat hunting for signs of exploitation within the environment.