Command Injection Vulnerability in TOTOLINK CA300-POE by TOTOLINK
CVE-2025-44862

Currently unrated

Key Information:

Vendor: TOTOLINK
Status: CA300-POE
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-44862?

A command injection vulnerability exists in the TOTOLINK CA300-POE device, specifically within the recvUpgradeNewFw function. This flaw allows attackers to exploit the fwUrl parameter, enabling the execution of arbitrary commands through a specially crafted request. Device users should be aware of this security risk and take necessary precautions to protect their network and devices.

References

https://github.com/Summermu/VulnForIoT/tree/main/Totolink...

EPSS Score

15% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025