CVE-2025-6619 in CA300-PoE
Summary
by MITRE • 06/25/2025
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2025
The vulnerability identified as CVE-2025-6619 represents a critical security flaw in the TOTOLINK CA300-PoE 6.2c.884 firmware, specifically within the setUpgradeFW function of the upgrade.so file. This issue constitutes a command injection vulnerability that arises from improper input validation when processing the FileName argument. The flaw enables attackers to execute arbitrary operating system commands on the affected device, fundamentally compromising its security posture and potentially allowing full system control. The vulnerability's critical classification stems from its remote exploitability and the disclosed public exploit availability, which significantly increases the risk of widespread exploitation across affected networks.
The technical implementation of this vulnerability occurs through the manipulation of the FileName parameter within the setUpgradeFW function, which fails to properly sanitize or validate user-supplied input before incorporating it into system commands. This improper handling creates a direct path for command injection attacks where malicious input can be interpreted and executed as operating system commands by the underlying firmware. The attack vector is particularly dangerous as it operates over remote network access, eliminating the need for physical presence or local network access. The vulnerability exists in the upgrade.so module which handles firmware upgrade operations, making it a prime target for attackers seeking to escalate privileges or gain unauthorized access to network infrastructure devices.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to completely compromise the affected network devices and use them as launching points for further attacks within the network infrastructure. The exposed firmware upgrade functionality provides attackers with a legitimate interface to exploit, making the attack surface more accessible than typical command injection vulnerabilities. Once exploited, attackers can install malicious firmware, modify network configurations, redirect traffic, or establish persistent backdoors within the network. The public availability of exploit code increases the probability of automated attacks and rapid proliferation across vulnerable TOTOLINK CA300-PoE devices in the wild, creating significant risk for organizations relying on this equipment.
Organizations should immediately implement mitigation strategies including network segmentation to isolate affected devices, disabling unnecessary remote management interfaces, and applying firmware updates from TOTOLINK when available. Network monitoring should be enhanced to detect unusual command execution patterns or unauthorized firmware upgrade attempts. The vulnerability aligns with CWE-77 and CWE-88 categories related to command injection and improper input validation, respectively, and maps to ATT&CK techniques including T1059 for command and scripting interpreter and T1566 for social engineering. Security teams should also consider implementing network access controls and firewall rules to restrict access to the affected device interfaces, while maintaining regular vulnerability assessments to identify similar issues in other network infrastructure components.