CVE-2022-25130
CRITICALTOTOLINK T6 and T10 Firmware - OS Command Injection via MQTT Packet
Title source: llmDescription
A command injection vulnerability in the function updateWifiInfo of TOTOLINK Technology routers T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 and T10 V2_Firmware V4.1.8cu.5207_B20210320 allows attackers to execute arbitrary commands via a crafted MQTT packet.
References (2)
Core 2
Core References
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/pjqwudi1/my_vuln/blob/main/totolink/vuln_18/18.md
Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/220087
Scores
CVSS v3
9.8
EPSS
0.0446
EPSS Percentile
89.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (2)
totolink/t10_firmware
v4.1.8cu.5207_b20210320
totolink/t6_firmware
v4.1.5cu.748_b20211015
Published
Feb 19, 2022
Tracked Since
Feb 18, 2026