CVE-2022-25134
CRITICAL EXPLOITED IN THE WILDTOTOLINK T6 V3 Firmware V4.1.5cu.748_B20211015 - OS Command Injection via MQTT Packet
Title source: llmExploitation Summary
CVE-2022-25134 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).
Description
A command injection vulnerability in the function setUpgradeFW of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
References (2)
Core 2
Core References
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/pjqwudi1/my_vuln/blob/main/totolink/vuln_13/13.md
Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/220083
Scores
CVSS v3
9.8
EPSS
0.0446
EPSS Percentile
89.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2022-08-19
InTheWild.io
2022-08-19
CWE
CWE-77
Status
published
Products (1)
totolink/t6_firmware
v4.1.5cu.748_b20211015
Published
Feb 19, 2022
Tracked Since
Feb 18, 2026