CVE-2025-6618 is a vulnerability identified in the TOTOLINK CA300-PoE router, specifically in firmware version 6.2c.884. The flaw exists in the SetWLanApcliSettings function within the wps.so component. This vulnerability arises from improper handling of the PIN argument, which can be manipulated to perform OS command injection. An attacker can remotely exploit this vulnerability without requiring user interaction or prior authentication, leveraging the network accessibility of the device. The vulnerability allows an attacker to execute arbitrary operating system commands on the affected device, potentially leading to full compromise of the router. The CVSS 4.0 base score is 5.3 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no public exploits are currently known to be in the wild, the exploit code has been disclosed publicly, increasing the risk of exploitation. The vulnerability does not require user interaction or authentication, which significantly lowers the barrier for attackers. The scope is limited to the affected firmware version and the specific device model. The command injection nature of the flaw means attackers could potentially execute arbitrary commands, leading to unauthorized access, data exfiltration, network pivoting, or denial of service conditions on the device or connected networks.

For European organizations, the exploitation of this vulnerability could have significant operational and security impacts. TOTOLINK CA300-PoE devices are typically used in small to medium business environments and possibly in some enterprise edge deployments for Power over Ethernet (PoE) networking. Successful exploitation could allow attackers to gain control over network infrastructure devices, enabling interception or manipulation of network traffic, disruption of network services, or establishing persistent footholds within corporate networks. This could lead to data breaches, espionage, or disruption of critical business processes. Given the remote and unauthenticated nature of the exploit, attackers could target vulnerable devices en masse, potentially impacting multiple organizations simultaneously. The partial impact on confidentiality, integrity, and availability means sensitive data could be exposed or altered, and network availability could be degraded or lost. The public disclosure of the exploit increases the urgency for European organizations to assess their exposure and implement mitigations promptly.

1. Immediate firmware upgrade: Organizations should verify if their TOTOLINK CA300-PoE devices are running version 6.2c.884 and check for any vendor-released patches or firmware updates addressing this vulnerability. If no official patch is available, consider contacting TOTOLINK support for guidance or firmware updates. 2. Network segmentation: Isolate vulnerable devices from critical network segments to limit potential lateral movement by attackers. 3. Access control: Restrict remote management interfaces of TOTOLINK devices to trusted IP addresses or VPNs to reduce exposure to the internet. 4. Intrusion detection: Deploy network intrusion detection systems (NIDS) with signatures or heuristics capable of detecting command injection attempts targeting the SetWLanApcliSettings function or unusual command execution patterns on these devices. 5. Device replacement: For environments where patching is not feasible or timely, consider replacing vulnerable devices with models from vendors with active security support. 6. Monitoring and logging: Enable detailed logging on network devices and monitor for anomalous activities indicative of exploitation attempts. 7. Incident response readiness: Prepare incident response plans specifically addressing potential router compromise scenarios, including containment and recovery procedures. These steps go beyond generic advice by focusing on device-specific controls, network architecture adjustments, and proactive detection tailored to the nature of the vulnerability.