cbcvebase.
CVE-2025-7952
published 2025-07-22

CVE-2025-7952: A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. This vulnerability affects the function ckeckKeepAlive of the file wireless.so of…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.22%
96.3th percentile
A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. This vulnerability affects the function ckeckKeepAlive of the file wireless.so of the component MQTT Packet Handler. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected

2 ranges
VendorProductVersion rangeFixed in
totolinkt6
totolinkt6_firmware

Detection & IOCsextracted from sources · hover to see the quote

port1883
snort
alert tcp any any -> $HOME_NET 1883 (msg:"ET EXPLOIT Totolink MQTT ckeckKeepAlive ipAddr Parameter Command Injection Attempt (CVE-2025-7952)"; flow:established,to_server; content:"totolink/router/ckeckKeepAlive|0a|"; depth:38; fast_pattern; content:"|22|ipAddr|22 3a 22|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/ElvisBlue/Public/blob/main/Vuln/7.md; reference:cve,2025-7952; classtype:web-application-attack; sid:2063673; rev:1; metadata:affected_product TOTOLINK, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_22, cve CVE_2025_7952, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
totolink/router/ckeckKeepAlive|0a| (depth:38)
bytes
|22|ipAddr|22 3a 22|
  • Monitor MQTT traffic (TCP/1883) for PUBLISH packets targeting the 'totolink/router/ckeckKeepAlive' topic containing shell metacharacters (;, newline, backtick, pipe, $) in the 'ipAddr' JSON field — these indicate command injection exploitation attempts.
  • The attack is initiated remotely over plaintext MQTT (no TLS); perimeter and internal network inspection points are both relevant deployment locations for this detection.
  • The vulnerable component is the 'ckeckKeepAlive' function in 'wireless.so' of the MQTT Packet Handler on TOTOLINK T6 4.1.5cu.748; focus process/library monitoring on this binary.
  • Public exploit PoC is available at the referenced GitHub URL; threat actors may be actively weaponizing it.
  • ·The Snort/Suricata rule targets $HOME_NET on port 1883; ensure MQTT broker/device IPs are included in $HOME_NET and that the sensor is positioned to inspect internal MQTT traffic, not just perimeter flows.
  • ·Detection relies on plaintext MQTT; if MQTT traffic is tunneled or encrypted (e.g., MQTTS on TCP/8883), this signature will not fire.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.