Details of VAR-202509-0043

ID

VAR-202509-0043

CVE

CVE-2025-9935

TITLE

TOTOLINK of n600r Injection Vulnerability in Firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-014932

DESCRIPTION

A vulnerability was determined in TOTOLINK N600R 4.3.0cu.7866_B20220506. This vulnerability affects the function sub_4159F8 of the file /web_cste/cgi-bin/cstecgi.cgi. Executing manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. TOTOLINK of n600r The firmware contains injection and command injection vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The TOTOLINK N600R is a dual-band wireless router released by the Korean brand TOTOLINK in 2013. It supports concurrent operation in the 2.4GHz and 5GHz bands, with a maximum wireless transmission rate of 300Mbps. No detailed vulnerability details are currently available

Trust: 2.16

sources: NVD: CVE-2025-9935 // JVNDB: JVNDB-2025-014932 // CNVD: CNVD-2025-23590

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-23590

AFFECTED PRODUCTS

vendor:	totolink	model:	n600r	scope:	eq	version:	4.3.0cu.7866_b20220506	Trust: 1.0
vendor:	totolink	model:	n600r	scope:	eq	version:	-	Trust: 0.8
vendor:	totolink	model:	n600r	scope:	-	version:	-	Trust: 0.8
vendor:	totolink	model:	n600r	scope:	eq	version:	n600r firmware 4.3.0cu.7866 b20220506	Trust: 0.8
vendor:	totolink	model:	n600r 4.3.0cu.7866 b20220506	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-23590 // JVNDB: JVNDB-2025-014932 // NVD: CVE-2025-9935

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com:	CVE-2025-9935
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2025-9935
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2025-014932
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-23590
value:	HIGH
Trust: 0.6

cna@vuldb.com:	CVE-2025-9935
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
OTHER:	JVNDB-2025-014932
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2025-23590
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

cna@vuldb.com:	CVE-2025-9935
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.4
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-9935
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	JVNDB-2025-014932
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-23590 // JVNDB: JVNDB-2025-014932 // NVD: CVE-2025-9935 // NVD: CVE-2025-9935

PROBLEMTYPE DATA

problemtype:	CWE-74	Trust: 1.0
problemtype:	CWE-77	Trust: 1.0
problemtype:	injection (CWE-74) [ others ]	Trust: 0.8
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-014932 // NVD: CVE-2025-9935

EXTERNAL IDS

db:	NVD	id:	CVE-2025-9935	Trust: 3.2
db:	VULDB	id:	322337	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-014932	Trust: 0.8
db:	CNVD	id:	CNVD-2025-23590	Trust: 0.6

sources: CNVD: CNVD-2025-23590 // JVNDB: JVNDB-2025-014932 // NVD: CVE-2025-9935

REFERENCES

url:	https://github.com/mono7s/totolink/blob/main/n600r/totolink%20n600r%20unauthorized_command_injection.md	Trust: 1.8
url:	https://vuldb.com/?id.322337	Trust: 1.8
url:	https://vuldb.com/?submit.643088	Trust: 1.8
url:	https://www.totolink.net/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-9935	Trust: 1.4
url:	https://vuldb.com/?ctiid.322337	Trust: 1.0

sources: CNVD: CNVD-2025-23590 // JVNDB: JVNDB-2025-014932 // NVD: CVE-2025-9935

SOURCES

db:	CNVD	id:	CNVD-2025-23590
db:	JVNDB	id:	JVNDB-2025-014932
db:	NVD	id:	CVE-2025-9935

LAST UPDATE DATE

2025-10-15T23:46:27.638000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-23590	date:	2025-10-14T00:00:00
db:	JVNDB	id:	JVNDB-2025-014932	date:	2025-10-02T09:09:00
db:	NVD	id:	CVE-2025-9935	date:	2025-09-29T18:32:03.733

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-23590	date:	2025-10-14T00:00:00
db:	JVNDB	id:	JVNDB-2025-014932	date:	2025-10-02T00:00:00
db:	NVD	id:	CVE-2025-9935	date:	2025-09-04T10:42:37.610