Command Injection Vulnerability in TOTOLINK X18 by TOTOLINK
CVE-2025-61044

6.5MEDIUM

Key Information:

Vendor: TOTOLINK
Status: TOTOLINK X18
Vendor: CVE Published:; 1 October 2025

What is CVE-2025-61044?

The TOTOLINK X18 device is susceptible to a command injection vulnerability, which can be exploited through the agentName parameter in the setEasyMeshAgentCfg function. This flaw enables unauthorized users to inject arbitrary commands into the system, potentially compromising the security and integrity of the affected device. Attackers could exploit this vulnerability to execute malicious commands, leading to potential unauthorized access and control over the device.

References

https://github.com/ilovekeer/IOT/blob/main/TOTOLINK/X18/s...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 1, 2025
Vulnerability Reserved
Sep 26, 2025

JSON