cbcvebase.
CVE-2025-13184
published 2025-12-10

CVE-2025-13184: Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
10.99%
95.3th percentile
Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, may also be affected.

Affected

2 ranges
VendorProductVersion rangeFixed in
toto_linkx5000r_s< V9.1.0u.6369_B20230113V9.1.0u.6369_B20230113
totolinkx5000r_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/cstecgi.cgi?action=telnet&enable=1&password=&code=
path/cgi-bin/cstecgi.cgi
versionX5000R V9.1.0u.6369_B20230113
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Totolink enable enable Parameter Telnet enablement Authentication Bypass Attempt (CVE-2025-13184)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/cstecgi.cgi|3f|action|3d|telnet|26|enable|3d|1|26|password|3d 26|code|3d|"; fast_pattern; reference:url,hackingbydoing.wixsite.com/hackingbydoing/post/totolink-x5000r-ax1800-router-authentication-bypass; reference:cve,2025-13184; classtype:attempted-admin; sid:2066260; rev:1; metadata:affected_product TOTOLINK, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_10, cve CVE_2025_13184, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect unauthenticated GET requests to /cgi-bin/cstecgi.cgi with query parameters action=telnet&enable=1 and a blank password field — this is the auth bypass trigger for Telnet enablement.
  • Monitor for new Telnet service activation (port 23) on TOTOLINK X5000R devices following an HTTP GET to cstecgi.cgi, which may indicate successful exploitation.
  • Alert on Telnet login attempts (port 23) to TOTOLINK devices using the root account with a blank/empty password, especially post-factory-reset state.
  • The Snort/Suricata rule (SID 2066260) targets plaintext HTTP only (tls_state plaintext); ensure perimeter and internal deployment points inspect unencrypted HTTP traffic to networking equipment management interfaces.
  • ·Earlier firmware versions sharing the same cstecgi.cgi implementation may also be vulnerable, so detection scope should not be limited to V9.1.0u.6369_B20230113 alone.
  • ·The Snort rule only fires on plaintext HTTP; if the management interface is ever served over HTTPS, the rule will not trigger and additional TLS-inspection coverage is needed.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.