A critical command injection vulnerability, identified as CVE-2025-55591, has been discovered in multiple products, with a specific instance noted in TOTOLINK-A3002R routers. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on an affected device by sending a malicious request. Successful exploitation could lead to a complete system compromise, enabling the attacker to take full control of the network device.

This is a command injection vulnerability in the formMapDel endpoint. An attacker can exploit this flaw by sending a crafted HTTP request where the devicemac parameter contains malicious shell commands. The application fails to properly sanitize this input before using it in a system-level command, allowing the injected commands to be executed with the privileges of the web server process, which is often root on embedded devices. This results in unauthenticated remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant risk to the organization. An attacker can gain complete control over the affected network devices without any authentication. Potential consequences include theft of sensitive data such as network configurations and credentials, disruption of network services, and using the compromised device as a pivot point to launch further attacks against the internal network. Compromised devices could also be co-opted into a botnet for use in DDoS attacks, causing reputational damage and potential legal liabilities.

Immediate Action: Identify all affected devices within the environment and immediately apply the latest firmware updates provided by the respective vendors to patch this vulnerability. In parallel, actively monitor for signs of exploitation by reviewing web server and system access logs for any anomalous activity related to the formMapDel endpoint.

Proactive Monitoring: Implement monitoring rules to detect and alert on suspicious requests to the /formMapDel endpoint. Specifically, scrutinize the devicemac parameter for shell metacharacters (e.g., ;, |, &&, $(), `). Monitor for unusual outbound network traffic from affected devices, which could indicate a command-and-control connection. Use an Intrusion Detection/Prevention System (IDS/IPS) with signatures that can identify command injection attempts.

Compensating Controls: If patching cannot be performed immediately, implement the following controls:

• Restrict access to the device's web management interface to a trusted management network or specific IP addresses.
• If possible, disable remote/WAN management access entirely.
• Deploy a Web Application Firewall (WAF) with rules to block malicious requests targeting the vulnerable parameter.
• Ensure the vulnerable devices are on a segmented network to limit the potential impact of a compromise.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) and the risk of unauthenticated remote code execution, this vulnerability requires immediate attention. Organizations must prioritize the identification and patching of all affected devices. Although this CVE is not currently on the CISA KEV list, its critical nature warrants treating it with the highest urgency. If patching is delayed for any reason, the compensating controls listed above must be implemented without delay to reduce the attack surface and mitigate the immediate risk of compromise.