Skip to main content
CVE Vulnerability Database

CVE-2025-7952: Totolink T6 Firmware RCE Vulnerability

CVE-2025-7952 is a critical remote code execution vulnerability in Totolink T6 Firmware caused by command injection in the MQTT packet handler. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7952 Overview

CVE-2025-7952 is a command injection vulnerability in the TOTOLINK T6 router running firmware version 4.1.5cu.748. The flaw resides in the ckeckKeepAlive function within the wireless.so library, which is part of the MQTT Packet Handler component. Attackers can manipulate input processed by this function to inject arbitrary operating system commands. The vulnerability is reachable over the network and has been publicly disclosed, including proof-of-concept material.

Critical Impact

Remote attackers with low privileges can inject operating system commands into the MQTT Packet Handler of affected TOTOLINK T6 devices, potentially compromising the router.

Affected Products

  • TOTOLINK T6 firmware version v4.1.5cu.748_b20211015
  • TOTOLINK T6 hardware revision 3
  • wireless.so library exposing the ckeckKeepAlive function

Discovery Timeline

  • 2025-07-22 - CVE-2025-7952 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-7952

Vulnerability Analysis

The vulnerability is a command injection issue [CWE-74] in the TOTOLINK T6 router firmware. The ckeckKeepAlive function inside wireless.so processes fields from incoming MQTT (Message Queuing Telemetry Transport) packets without adequately sanitizing the input. Because the function passes attacker-controlled data into a shell context, injected metacharacters are interpreted by the underlying operating system.

An attacker who can reach the MQTT service on the device can send a crafted packet that carries shell metacharacters within a keep-alive related field. The device then executes the appended commands with the privileges of the MQTT handler process, which typically runs as root on embedded routers.

The EPSS score for this CVE is 15.223% with a percentile of 96.344, indicating elevated exploitation likelihood relative to most published vulnerabilities. Public documentation and a proof-of-concept have been published on GitHub.

Root Cause

The root cause is missing neutralization of special elements in data processed by the ckeckKeepAlive function. The firmware constructs a shell command using unvalidated MQTT packet fields, then executes it through a system call. Any shell metacharacter such as ;, |, or backticks embedded in the packet is preserved through the concatenation.

Attack Vector

Exploitation requires network access to the MQTT Packet Handler exposed by the TOTOLINK T6. The attacker crafts an MQTT packet that includes shell metacharacters within a keep-alive parameter. When the device parses the packet, ckeckKeepAlive passes the tainted string into a command execution path, and the operating system runs the injected commands. Refer to the GitHub Vulnerability Documentation and the GitHub PoC for Vulnerability for reproduction details.

Detection Methods for CVE-2025-7952

Indicators of Compromise

  • MQTT packets directed at TOTOLINK T6 devices that contain shell metacharacters such as ;, &&, |, or backticks in keep-alive related fields.
  • Unexpected outbound connections from the router to attacker-controlled infrastructure following MQTT traffic.
  • New or unusual processes spawned by the MQTT handler, such as sh, wget, curl, or busybox shells.

Detection Strategies

  • Inspect MQTT traffic to and from TOTOLINK T6 devices for non-printable or shell metacharacters in packet payloads.
  • Correlate router syslog or remote logging output with process execution anomalies tied to wireless.so.
  • Alert on unauthenticated or low-privileged MQTT sessions establishing keep-alive exchanges with malformed parameters.

Monitoring Recommendations

  • Forward router logs to a centralized logging platform and retain them for retrospective analysis.
  • Monitor east-west traffic to segmented management networks that host consumer or SOHO routers.
  • Track firmware versions across your inventory and flag devices reporting 4.1.5cu.748 firmware.

How to Mitigate CVE-2025-7952

Immediate Actions Required

  • Restrict network reachability of the MQTT service on the TOTOLINK T6 to trusted management segments only.
  • Remove the device from perimeter-facing deployments until a vendor-supplied fix is available.
  • Rotate any credentials or preshared keys that may have transited the affected device.

Patch Information

At the time of NVD publication, no vendor patch is referenced for CVE-2025-7952. Consult the Totolink Website for firmware advisories and the VulDB #317098 entry for updated remediation status.

Workarounds

  • Block inbound MQTT traffic (typically TCP 1883 and 8883) to the affected devices at the network perimeter.
  • Place TOTOLINK T6 routers behind a firewall that enforces strict source-based access control to management services.
  • Disable or firewall off any WAN-side management interface until updated firmware is released.
bash
# Example: block MQTT ports to affected routers on an upstream Linux gateway
iptables -A FORWARD -p tcp --dport 1883 -d <router_ip> -j DROP
iptables -A FORWARD -p tcp --dport 8883 -d <router_ip> -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.