CVE-2025-4851 is a command injection vulnerability identified in the TOTOLINK N300RH router, specifically in firmware version 6.1c.1390_B20191101. The vulnerability resides in the setUploadUserData function within the /cgi-bin/cstecgi.cgi endpoint. An attacker can manipulate the 'FileName' argument to inject arbitrary commands, which the device executes. This vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/UI:N/PR:L) shows that the attack can be performed over the network with low attack complexity, no user interaction, but requires low privileges (PR:L). The impact on confidentiality, integrity, and availability is limited (VC:L/VI:L/VA:L), suggesting partial compromise rather than full system takeover. Although no public exploits are currently known in the wild, the exploit code has been disclosed publicly, raising the likelihood of future exploitation. The vulnerability affects a widely deployed consumer-grade router model, which is often used in home and small office environments, potentially exposing numerous devices to compromise if unpatched. The lack of available patches or vendor mitigation at the time of disclosure increases the urgency for defensive measures.

For European organizations, the impact of this vulnerability depends on the deployment of TOTOLINK N300RH routers within their network infrastructure. While typically consumer or small office devices, these routers may be used in branch offices or home offices, especially in remote work scenarios. Exploitation could allow attackers to execute arbitrary commands on the device, potentially leading to network reconnaissance, lateral movement, or establishing persistent footholds. This could compromise internal network security, data confidentiality, and availability of network services. Given the medium severity and partial impact on confidentiality, integrity, and availability, the threat is significant but not catastrophic. However, the ease of remote exploitation without user interaction or authentication increases risk, especially in environments with limited network segmentation or monitoring. European organizations with remote workers or small branch offices using TOTOLINK devices should be particularly vigilant. Additionally, compromised routers could be leveraged as part of larger botnets or for launching further attacks, amplifying the threat to broader infrastructure.

1. Immediate identification and inventory of TOTOLINK N300RH devices running the affected firmware version (6.1c.1390_B20191101) within the organization’s network, including remote and branch office locations. 2. Apply firmware updates or patches from TOTOLINK as soon as they become available. In the absence of official patches, consider temporary mitigations such as disabling remote management interfaces or restricting access to the /cgi-bin/cstecgi.cgi endpoint via firewall rules or access control lists. 3. Implement network segmentation to isolate vulnerable devices from critical internal systems and sensitive data. 4. Monitor network traffic for unusual activity originating from or targeting TOTOLINK devices, including unexpected command execution patterns or outbound connections. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting command injection attempts against CGI endpoints. 6. Educate IT staff and users about the risks of using outdated router firmware and the importance of timely updates. 7. For remote or home office users, provide secure VPN access and consider replacing vulnerable consumer-grade routers with enterprise-grade devices that receive regular security updates. 8. Regularly audit and update device inventories and firmware versions to prevent future exposure.