CVE-2025-60687 is a critical unauthenticated command injection vulnerability found in the ToToLink LR1200GB router firmware version V9.1.0u.6619_B20230130. The flaw resides in the cstecgi.cgi binary, specifically within the sub_41EC68 function, which processes the 'imei' parameter from incoming web requests. The vulnerability arises because the firmware only validates that the 'imei' parameter is exactly 15 characters long but does not sanitize or escape its content before using sprintf() to insert it into a system command executed via the system() call. This unsafe handling allows an attacker to craft a malicious IMEI string that injects arbitrary shell commands, which the router executes with root privileges. The attack requires no authentication, meaning any remote attacker with network access to the router’s web interface can exploit this flaw. The vulnerability enables full remote code execution, allowing attackers to take control of the router, manipulate network traffic, install malware, or use the device as a pivot point for further attacks within the network. Although no public exploits have been reported yet, the nature of the vulnerability and the ease of exploitation make it highly dangerous. The lack of a CVSS score indicates this is a newly disclosed issue, but the technical details clearly demonstrate a critical security risk. The affected firmware version is specifically V9.1.0u.6619_B20230130, and no patches or mitigations have been officially published at the time of disclosure. Organizations using this router model should consider immediate risk mitigation steps to prevent exploitation.

The impact of CVE-2025-60687 on European organizations could be significant. Successful exploitation grants unauthenticated remote attackers full control over the affected router, compromising network perimeter security. This can lead to interception or manipulation of sensitive data, disruption of internet connectivity, and the deployment of persistent malware or backdoors. For enterprises, this could mean exposure of confidential communications, disruption of business operations, and potential lateral movement to internal networks. Critical infrastructure operators using these routers may face operational outages or sabotage risks. The vulnerability also undermines trust in network security and could lead to regulatory compliance issues under GDPR if personal data is compromised. Given the router’s role as a network gateway, exploitation could facilitate large-scale attacks such as man-in-the-middle, DNS hijacking, or participation in botnets. The absence of authentication and the ability to execute arbitrary commands remotely make this a high-impact threat for any organization relying on the affected devices.

To mitigate CVE-2025-60687, organizations should immediately restrict access to the router’s web management interface by implementing network-level controls such as firewall rules or VPN-only access. Disable remote management features if not required. Monitor network traffic for unusual requests targeting the 'imei' parameter or the cstecgi.cgi endpoint. Apply any firmware updates or patches provided by ToToLink as soon as they become available. If patches are not yet released, consider replacing affected routers with models from vendors with a stronger security track record. Employ network segmentation to isolate critical systems from vulnerable devices. Conduct regular security audits and vulnerability scans to detect exploitation attempts. Educate IT staff about this vulnerability and ensure incident response plans include steps for router compromise scenarios. Finally, report any suspicious activity related to this vulnerability to relevant cybersecurity authorities.