CVE-2025-7525

A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument command leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Published: Jul 13, 2025
Updated: Jul 17, 2025
CVE: CVE-2025-7525
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-74
CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
totolink / t6_firmware	4.1.5cu.748_b20211015	4.1.5cu.748_b20211015.x

https://github.com/ElvisBlue/Public/blob/main/Vuln/3.md
https://github.com/ElvisBlue/Public/blob/main/Vuln/3.md#poc
https://vuldb.com/?ctiid.316222
https://vuldb.com/?id.316222
https://vuldb.com/?submit.612936
https://www.totolink.net/
https://youtu.be/GawLaYfTwYs

Vulnerability Database

CVE-2025-7525

Deep Security Visibility Without the Complexity