Command Injection Vulnerability in TOTOLINK CPE CP900 by TOTOLINK
CVE-2025-44836

Currently unrated

Key Information:

Vendor: TOTOLINK
Status: CPE CP900
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44836?

The TOTOLINK CPE CP900 device, specifically version V6.3c.1144_B20190715, has been identified with a vulnerability that allows for command injection through the setApRebootScheCfg function. By manipulating the hour or minute parameters in requests, attackers can execute arbitrary commands on the device. This poses significant security risks, potentially allowing unauthorized access and control over the affected devices.

References

https://github.com/n0wstr/IOTVuln/tree/main/CP900/setApRe...

EPSS Score

15% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025