Three vital safety flaws have been found in firmware model V9.4.0cu.1360_B20241207 of the TOTOLINK X6000R router launched on March 28, 2025.
These vulnerabilities vary from argument injection and command injection to a safety bypass that may result in distant code execution.
Attackers can crash gadgets, corrupt system recordsdata, and execute arbitrary instructions with out authentication.
Customers should replace instantly to the mounted firmware launch (V9.4.0cu.1498_B20250826) to guard their networks.
Overview of the Vulnerabilities
| CVE Identifier | Score | CVSS-B Rating | Description |
| CVE-2025-52905 | Excessive | 7.0 | Argument injection flaw that may crash the router or overwhelm exterior servers, leading to denial of service. |
| CVE-2025-52906 | Crucial | 9.3 | Unauthenticated command injection permitting distant execution of arbitrary instructions on the machine. |
| CVE-2025-52907 | Excessive | 7.3 | Safety bypass enabling arbitrary file writes, persistent denial-of-service, or chainable distant code execution exploits. |
Technical Evaluation of Argument Injection – CVE-2025-52905
The firmware’s central net interface endpoint, /cgi-bin/cstecgi.cgi, processes person inputs based mostly on a topicurl parameter.
CVE-2025-52905 stems from an incomplete enter validation perform that blocks harmful characters however omits the hyphen (–).
This oversight permits malicious payloads to bypass filtering. Attackers can ship crafted requests that inject arguments into system calls, crashing the machine or redirecting operations to exterior servers.
Exploitation requires solely community entry to the router’s net UI, making mass scanning and automatic assaults trivial for risk actors.
Unauthenticated Command Injection Influence – CVE-2025-52906
CVE-2025-52906 exists within the setEasyMeshAgentCfg perform, which configures mesh agent settings. The perform fails to sanitize the agentName parameter, enabling unauthenticated attackers to insert shell instructions.
When executed by the net server course of, these instructions run with elevated privileges. A profitable exploit can set up persistent malware, intercept community site visitors, or pivot to different gadgets inside the person’s atmosphere.
This vulnerability represents a vital lapse in enter sanitization and authentication controls.
Safety Bypass Resulting in RCE – CVE-2025-52907
CVE-2025-52907 leverages the identical flawed sanitization logic within the setWizardCfg perform. By crafting inputs that keep away from the blocklist, attackers can carry out arbitrary file writes.
Crucial system recordsdata corresponding to /and so forth/passwd will be modified so as to add new accounts, and boot scripts will be altered to ensure distant code execution on restart.
This chainable exploit permits persistent management over the router, undermining any community safety perimeter.
House routers are the gateway to all related gadgets, and these vulnerabilities spotlight the necessity for rigorous enter validation in IoT firmware, as reported by Palo Alto Networks.
Customers of the TOTOLINK X6000R should replace to firmware V9.4.0cu.1498_B20250826 directly.
Sustaining up-to-date firmware and strong community monitoring stays important to guard in opposition to rising IoT threats.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most well-liked Supply in Google.
