Command Injection Vulnerability in TOTOLINK CA600-PoE Device
CVE-2025-44848

6.5MEDIUM

Key Information:

Vendor: TOTOLINK
Status: CA600-PoE
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44848?

A command injection vulnerability has been identified in the TOTOLINK CA600-PoE V5.3c.6665_B20180820 device. This security flaw exists in the msg_process function, where user input via the Url parameter is not properly validated. As a result, attackers can craft malicious requests that exploit this weakness, potentially allowing them to execute arbitrary commands on the device. This vulnerability poses a significant risk, particularly in networked environments, as it can be leveraged to gain unauthorized access or control over affected devices.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/Summermu/VulnForIoT/tree/main/Totolink...

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025

JSON

TOTOLINK