Three crucial safety flaws have been found in firmware model V9.4.0cu.1360_B20241207 of the TOTOLINK X6000R router launched on March 28, 2025.
These vulnerabilities vary from argument injection and command injection to a safety bypass that may result in distant code execution.
Attackers can crash gadgets, corrupt system information, and execute arbitrary instructions with out authentication.
Customers should replace instantly to the mounted firmware launch (V9.4.0cu.1498_B20250826) to guard their networks.
Overview of the Vulnerabilities
| CVE Identifier | Ranking | CVSS-B Rating | Description |
| CVE-2025-52905 | Excessive | 7.0 | Argument injection flaw that may crash the router or overwhelm exterior servers, leading to denial of service. |
| CVE-2025-52906 | Vital | 9.3 | Unauthenticated command injection permitting distant execution of arbitrary instructions on the gadget. |
| CVE-2025-52907 | Excessive | 7.3 | Safety bypass enabling arbitrary file writes, persistent denial-of-service, or chainable distant code execution exploits. |
Technical Evaluation of Argument Injection – CVE-2025-52905
The firmware’s central internet interface endpoint, /cgi-bin/cstecgi.cgi, processes person inputs based mostly on a topicurl parameter.
CVE-2025-52905 stems from an incomplete enter validation operate that blocks harmful characters however omits the hyphen (–).
This oversight permits malicious payloads to bypass filtering. Attackers can ship crafted requests that inject arguments into system calls, crashing the gadget or redirecting operations to exterior servers.
Exploitation requires solely community entry to the router’s internet UI, making mass scanning and automatic assaults trivial for menace actors.
Unauthenticated Command Injection Influence – CVE-2025-52906
CVE-2025-52906 exists within the setEasyMeshAgentCfg operate, which configures mesh agent settings. The operate fails to sanitize the agentName parameter, enabling unauthenticated attackers to insert shell instructions.
When executed by the net server course of, these instructions run with elevated privileges. A profitable exploit can set up persistent malware, intercept community visitors, or pivot to different gadgets throughout the person’s surroundings.
This vulnerability represents a crucial lapse in enter sanitization and authentication controls.
Safety Bypass Resulting in RCE – CVE-2025-52907
CVE-2025-52907 leverages the identical flawed sanitization logic within the setWizardCfg operate. By crafting inputs that keep away from the blocklist, attackers can carry out arbitrary file writes.
Vital system information corresponding to /and many others/passwd will be modified so as to add new accounts, and boot scripts will be altered to ensure distant code execution on restart.
This chainable exploit permits persistent management over the router, undermining any community safety perimeter.
Residence routers are the gateway to all related gadgets, and these vulnerabilities spotlight the necessity for rigorous enter validation in IoT firmware, as reported by Palo Alto Networks.
Customers of the TOTOLINK X6000R should replace to firmware V9.4.0cu.1498_B20250826 directly.
Sustaining up-to-date firmware and sturdy community monitoring stays important to guard towards rising IoT threats.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and Set GBH as a Most well-liked Supply in Google.
