Command Injection Vulnerability in Totolink CP900 Product
CVE-2025-44854

Currently unrated

Key Information:

Vendor: Totolink
Status: CP900
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44854?

The Totolink CP900, specifically version V6.3c.1144_B20190715, is susceptible to a command injection vulnerability in the setUpgradeUboot function. This issue arises from how the FileName parameter is handled, potentially allowing attackers to execute arbitrary commands on the device through specially crafted requests. Exploiting this vulnerability poses a serious risk to device integrity and network security, emphasizing the need for prompt remediation.

References

https://github.com/Summermu/VulnForIoT/tree/main/Totolink...

EPSS Score

15% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025