CVE-2025-6620 in CA300-PoE
Summary
by MITRE • 06/25/2025
A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2025
The vulnerability identified as CVE-2025-6620 represents a critical command injection flaw within the TOTOLINK CA300-PoE 6.2c.884 firmware, specifically affecting the setUpgradeUboot function in the upgrade.so library. This issue falls under the CWE-77 category of Command Injection, where malicious input is executed as system commands with the privileges of the affected service. The vulnerability manifests when the FileName argument is improperly handled during the firmware upgrade process, creating an avenue for arbitrary code execution on the device.
The technical exploitation of this vulnerability occurs through remote manipulation of the FileName parameter, which is processed without adequate input validation or sanitization. When an attacker provides malicious input through this parameter, the system executes operating system commands directly, potentially allowing full system compromise. The attack vector is particularly concerning as it requires no authentication and can be initiated from external network locations, making it highly accessible to threat actors. This remote exploitation capability aligns with ATT&CK technique T1203, which covers exploitation for execution through remote access points.
The operational impact of this vulnerability extends beyond simple command execution, as it can lead to complete system compromise including persistent backdoor installation, data exfiltration, and potential use as a foothold for further network infiltration. The affected device, a network infrastructure component, could serve as a pivot point for attackers to move laterally within a network environment. The fact that public exploitation methods have been disclosed significantly increases the risk profile, as the vulnerability is no longer theoretical but actively weaponized in the wild.
Mitigation strategies should prioritize immediate firmware updates from TOTOLINK if available, though the critical nature of the vulnerability suggests that such updates may not be immediately forthcoming. Network segmentation and firewall rules should be implemented to restrict access to the affected device, while monitoring systems should be deployed to detect unusual network traffic patterns that might indicate exploitation attempts. The vulnerability demonstrates the importance of input validation in embedded systems and highlights the need for secure coding practices in firmware development, particularly in network infrastructure devices where the attack surface is critical and the potential for widespread impact is high. Organizations should also consider implementing network access controls and regular vulnerability assessments to identify similar flaws in other network equipment.