CVE-2025-7524

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been classified as critical. This affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Published: Jul 13, 2025
Updated: Jul 17, 2025
CVE: CVE-2025-7524
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74
CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
totolink / t6_firmware	4.1.5cu.748_b20211015	4.1.5cu.748_b20211015.x

https://github.com/ElvisBlue/Public/blob/main/Vuln/2.md
https://github.com/ElvisBlue/Public/blob/main/Vuln/2.md#poc
https://vuldb.com/?ctiid.316221
https://vuldb.com/?id.316221
https://vuldb.com/?submit.612935
https://www.totolink.net/
https://www.youtube.com/watch?v=T62BuSoHmoM

Vulnerability Database

CVE-2025-7524

Deep Security Visibility Without the Complexity