CVE-2022-25135
CRITICALTOTOLINK T6 V3 Firmware V4.1.5cu.748_B20211015 - OS Command Injection via MQTT Packet
Title source: llmDescription
A command injection vulnerability in the function recv_mesh_info_sync of TOTOLINK Technology router T6 V3_Firmware T6_V3_V4.1.5cu.748_B20211015 allows attackers to execute arbitrary commands via a crafted MQTT packet.
References (2)
Core 2
Core References
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/pjqwudi1/my_vuln/blob/main/totolink/vuln_19/19.md
Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2022-25135
Scores
CVSS v3
9.8
EPSS
0.0446
EPSS Percentile
89.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (1)
totolink/t6_firmware
v4.1.5cu.748_b20211015
Published
Feb 19, 2022
Tracked Since
Feb 18, 2026