CVE-2025-44845 in CA600-PoEinfo

Summary

by MITRE • 05/01/2025

TOTOLINK CA600-PoE V5.3c.6665_B20180820 was found to contain a command injection vulnerability in the NTPSyncWithHost function via the hostTime parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/25/2025

The vulnerability identified as CVE-2025-44845 affects the TOTOLINK CA600-PoE V5.3c.6665_B20180820 device firmware, representing a critical command injection flaw within the network time protocol synchronization functionality. This vulnerability resides in the NTPSyncWithHost function where the hostTime parameter is processed without adequate input validation or sanitization measures. The flaw enables remote attackers to inject malicious commands into the system through carefully crafted HTTP requests that target the network time synchronization interface.

The technical implementation of this vulnerability stems from improper handling of user-supplied input within the firmware's network time protocol synchronization mechanism. When the hostTime parameter is passed to the NTPSyncWithHost function, the system fails to properly sanitize or validate the input before incorporating it into system commands or shell executions. This creates an environment where an attacker can append malicious command sequences to the hostTime parameter, which are then executed with the privileges of the affected service or application. The vulnerability aligns with CWE-77 and CWE-94, representing command injection and code injection weaknesses respectively, where insufficient input validation allows arbitrary code execution.

The operational impact of this vulnerability extends beyond simple remote code execution, as it provides attackers with significant control over the affected device. Successful exploitation could enable attackers to gain full administrative access to the network switch, potentially allowing them to modify network configurations, intercept traffic, or establish persistent backdoors. The attack surface is particularly concerning given that this affects network infrastructure equipment that typically operates within trusted network segments, making it a prime target for lateral movement and network compromise. According to ATT&CK framework, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1021.001 (Remote Services: Remote Desktop Protocol) as attackers could leverage the executed commands to establish further malicious activities.

Mitigation strategies for this vulnerability should prioritize immediate firmware updates from TOTOLINK, as the vendor is likely to release patches addressing the input validation issues within the NTPSyncWithHost function. Network administrators should implement strict firewall rules to restrict access to the affected device's management interfaces, particularly blocking external access to the NTP synchronization endpoints. Additionally, implementing network monitoring solutions that can detect anomalous command execution patterns or unusual network time synchronization activities will help identify potential exploitation attempts. Organizations should also consider implementing network segmentation to limit the potential impact of successful exploitation and establish robust network access controls to prevent unauthorized access to critical infrastructure devices. The vulnerability demonstrates the importance of input validation in embedded systems and highlights the need for comprehensive security testing of network infrastructure firmware before deployment in production environments.

Responsible

MITRE

Reservation

04/22/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00903

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!