OS Command Injection Vulnerability in TOTOLINK EX1800T
CVE-2025-2094

5.3MEDIUM

Key Information:

Vendor: Totolink
Status: Ex1800t
Vendor: CVE Published:; 7 March 2025

Badges

👾 Exploit Exists

What is CVE-2025-2094?

A vulnerability exists in the TOTOLINK EX1800T model, where the function setWiFiExtenderConfig in the file /cgi-bin/cstecgi.cgi is susceptible to an OS command injection. This flaw arises from improper handling of the apcliKey argument, which can allow a remote attacker to execute arbitrary commands on the device. Since the exploit details are publicly available, users are urged to apply security measures to protect against possible attacks.

Affected Version(s)

EX1800T 9.1.0cu.2112_B20220316

References

https://vuldb.com/?id.298952

vdb-entrytechnical-description

https://vuldb.com/?ctiid.298952

signaturepermissions-required

https://vuldb.com/?submit.515319

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Mar 7, 2025
Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

selph (VulDB User)

Totolink