Command Injection Vulnerability in TOTOLINK CA600-PoE Device
CVE-2025-44848

6.5MEDIUM

Key Information:

Vendor: TOTOLINK
Status: CA600-PoE
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44848?

A command injection vulnerability has been identified in the TOTOLINK CA600-PoE V5.3c.6665_B20180820 device. This security flaw exists in the msg_process function, where user input via the Url parameter is not properly validated. As a result, attackers can craft malicious requests that exploit this weakness, potentially allowing them to execute arbitrary commands on the device. This vulnerability poses a significant risk, particularly in networked environments, as it can be leveraged to gain unauthorized access or control over affected devices.

References

https://github.com/Summermu/VulnForIoT/tree/main/Totolink...

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025