CVE Catalog

CVE-2025-44655

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

25th percentile - higher than 25% of all known CVEs

Summary

In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9 routers, the chroot_local_user option is enabled by default in the vsftpd.conf configuration file. This could allow unauthorized access to system files, privilege escalation, or use of the server as a pivot point for internal network attacks.

Risk Assessment

The organization faces the risk of router compromise, potentially leading to data leakage, privilege escalation, and further attacks on internal network infrastructure.

Recommendation

Immediately disable the chroot_local_user option in the vsftpd.conf file on affected devices or apply a firmware update from the vendor.

Original NVD description (English source)

In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS