CVE-2025-6620 is a security vulnerability identified in the TOTOLINK CA300-PoE router, specifically in version 6.2c.884. The flaw exists in the setUpgradeUboot function within the upgrade.so component. This vulnerability arises due to improper handling of the FileName argument, which can be manipulated to perform OS command injection. An attacker can remotely exploit this vulnerability without requiring user interaction or prior authentication, as indicated by the CVSS vector. The vulnerability allows an attacker to execute arbitrary operating system commands on the affected device, potentially leading to unauthorized control over the router. Although the CVSS score is rated medium (5.3), the vulnerability's nature—remote command injection—poses significant risks. The exploit has been publicly disclosed, increasing the likelihood of exploitation, although no confirmed exploits in the wild have been reported yet. The vulnerability impacts the confidentiality, integrity, and availability of the device, as an attacker could execute commands to disrupt network traffic, intercept data, or pivot to other internal systems. The scope is limited to devices running the specific vulnerable firmware version 6.2c.884 of the TOTOLINK CA300-PoE router. Since no patch links are currently available, mitigation relies on alternative protective measures until an official fix is released.

For European organizations, the exploitation of this vulnerability could have serious consequences, especially for those relying on TOTOLINK CA300-PoE devices within their network infrastructure. Successful exploitation could allow attackers to gain control over network routing devices, leading to interception or manipulation of sensitive data, disruption of network services, and potential lateral movement within corporate networks. This is particularly critical for sectors with high dependency on network availability and data confidentiality, such as finance, healthcare, and critical infrastructure. The remote and unauthenticated nature of the exploit increases the risk of widespread attacks, especially in environments where these devices are exposed to untrusted networks. Additionally, the public disclosure of the exploit code may accelerate attack attempts, increasing the urgency for mitigation. The medium CVSS score reflects some limitations in exploitability or impact scope, but the real-world risk remains significant due to the device's role in network operations.

Immediately isolate TOTOLINK CA300-PoE devices running firmware version 6.2c.884 from untrusted networks to reduce exposure to remote attacks. Implement network segmentation to limit access to management interfaces of affected devices, restricting them to trusted administrative networks only. Deploy strict firewall rules to block unauthorized inbound traffic targeting the device's management ports. Monitor network traffic for unusual command execution patterns or unexpected firmware upgrade attempts that could indicate exploitation attempts. Use intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect potential exploitation attempts targeting this vulnerability. Contact TOTOLINK support or monitor official channels for firmware updates or patches addressing this vulnerability and plan for prompt deployment once available. Consider replacing vulnerable devices with alternative hardware from vendors with a strong security track record if immediate patching is not feasible. Ensure all network device credentials are strong and changed from default to prevent further compromise in case of partial exploitation.