CVE-2025-6618 in CA300-PoE
Summary
by MITRE • 06/25/2025
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2025
The vulnerability identified as CVE-2025-6618 represents a critical command injection flaw within the TOTOLINK CA300-PoE router firmware version 6.2c.884. This issue resides in the SetWLanApcliSettings function of the wps.so module, which handles wireless network configuration parameters. The vulnerability specifically manifests when the PIN argument is manipulated, allowing attackers to inject arbitrary operating system commands directly into the router's execution environment. The affected device operates as a wireless access point with power over ethernet capabilities, making it a critical component in many network infrastructures. This flaw enables remote exploitation without requiring any authentication credentials, as the vulnerability exists in a publicly accessible network interface that handles wireless configuration requests. The command injection vulnerability fundamentally compromises the device's security posture by allowing attackers to execute arbitrary code with the privileges of the affected service.
The technical implementation of this vulnerability follows the classic command injection pattern where user-supplied input flows directly into system execution without proper sanitization or validation. When the PIN parameter is processed by the SetWLanApcliSettings function, the input is not properly escaped or filtered before being used in system calls. This allows an attacker to append malicious commands that get executed by the underlying operating system. The attack vector is particularly dangerous because it operates over the network without requiring physical access or prior authentication, making it a significant threat to network security. The exploitation process typically involves crafting a malicious PIN value that includes shell metacharacters such as semicolons, ampersands, or pipe operators that cause the system to interpret additional commands beyond the intended PIN processing. This vulnerability aligns with CWE-77 and CWE-88 categories, which specifically address command injection flaws where external input is directly used in system command execution contexts.
The operational impact of this vulnerability extends far beyond simple unauthorized access, as it provides attackers with complete control over the affected router's functionality. An attacker could potentially gain root access to the device, allowing for complete network compromise through various attack vectors including but not limited to DNS hijacking, traffic interception, port forwarding modifications, and network segmentation bypasses. The router's role as a central network component means that successful exploitation could enable attackers to monitor network traffic, redirect connections to malicious servers, or establish persistent backdoors within the network infrastructure. Network administrators may lose visibility into their network operations as the attacker could manipulate logging and monitoring functions. Additionally, the compromised device could serve as a launch point for attacks against other networked devices, creating a potential attack vector for lateral movement within the network. The public disclosure of the exploit means that automated attack tools are likely available, increasing the probability of exploitation across vulnerable installations.
Mitigation strategies for this vulnerability must be implemented immediately given its critical classification and public exploit availability. The primary recommendation involves updating the router firmware to the latest version provided by TOTOLINK, which should contain patches addressing the command injection vulnerability in the wps.so module. Network segmentation should be implemented to isolate affected devices from critical network segments, reducing the potential impact of successful exploitation. Access controls should be enforced to limit network access to the affected router to only authorized personnel and systems. Network monitoring should be enhanced to detect suspicious command execution patterns or unusual network traffic originating from the compromised device. Firewall rules should be configured to restrict access to the router's administrative interfaces and wireless configuration endpoints. The implementation of network intrusion detection systems can help identify exploitation attempts by monitoring for patterns consistent with command injection attacks. Regular security audits should be conducted to identify other potentially vulnerable network devices, and network administrators should consider implementing zero-trust network principles to limit the blast radius of any successful compromise. Organizations should also prepare incident response plans that specifically address router compromise scenarios, ensuring rapid detection and remediation of any exploitation attempts.