CVE-2025-44655 — CRITICAL (9.8)

Vulnerability Description

In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Totolink	A7100Ru Firmware	7.4
Totolink	A7100Ru	-
Totolink	A950Rg Firmware	5.9
Totolink	A950Rg	-
Totolink	T10 Firmware	5.9
Totolink	T10	-

Related Weaknesses (CWE)

CWE-266

References

http://totolink.comBroken Link
https://gist.github.com/TPCchecker/d7306649f51ca25e22dd6532546a58f3Broken Link

FAQ

What is CVE-2025-44655?

CVE-2025-44655 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of...

How severe is CVE-2025-44655?

CVE-2025-44655 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-44655?

Check the references section above for vendor advisories and patch information. Affected products include: Totolink A7100Ru Firmware, Totolink A7100Ru, Totolink A950Rg Firmware, Totolink A950Rg, Totolink T10 Firmware.