Three crucial safety flaws have been found in firmware model V9.4.0cu.1360_B20241207 of the TOTOLINK X6000R router launched on March 28, 2025.
These vulnerabilities vary from argument injection and command injection to a safety bypass that may result in distant code execution.
Attackers can crash gadgets, corrupt system information, and execute arbitrary instructions with out authentication.
Customers should replace instantly to the fastened firmware launch (V9.4.0cu.1498_B20250826) to guard their networks.
Overview of the Vulnerabilities
| CVE Identifier | Score | CVSS-B Rating | Description |
| CVE-2025-52905 | Excessive | 7.0 | Argument injection flaw that may crash the router or overwhelm exterior servers, leading to denial of service. |
| CVE-2025-52906 | Important | 9.3 | Unauthenticated command injection permitting distant execution of arbitrary instructions on the gadget. |
| CVE-2025-52907 | Excessive | 7.3 | Safety bypass enabling arbitrary file writes, persistent denial-of-service, or chainable distant code execution exploits. |
Technical Evaluation of Argument Injection – CVE-2025-52905
The firmware’s central internet interface endpoint, /cgi-bin/cstecgi.cgi, processes person inputs primarily based on a topicurl parameter.
CVE-2025-52905 stems from an incomplete enter validation operate that blocks harmful characters however omits the hyphen (–).
This oversight permits malicious payloads to bypass filtering. Attackers can ship crafted requests that inject arguments into system calls, crashing the gadget or redirecting operations to exterior servers.
Exploitation requires solely community entry to the router’s internet UI, making mass scanning and automatic assaults trivial for menace actors.
Unauthenticated Command Injection Impression – CVE-2025-52906
CVE-2025-52906 exists within the setEasyMeshAgentCfg operate, which configures mesh agent settings. The operate fails to sanitize the agentName parameter, enabling unauthenticated attackers to insert shell instructions.
When executed by the net server course of, these instructions run with elevated privileges. A profitable exploit can set up persistent malware, intercept community site visitors, or pivot to different gadgets inside the person’s setting.
This vulnerability represents a crucial lapse in enter sanitization and authentication controls.
Safety Bypass Resulting in RCE – CVE-2025-52907
CVE-2025-52907 leverages the identical flawed sanitization logic within the setWizardCfg operate. By crafting inputs that keep away from the blocklist, attackers can carry out arbitrary file writes.
Important system information corresponding to /and many others/passwd could be modified so as to add new accounts, and boot scripts could be altered to ensure distant code execution on restart.
This chainable exploit allows persistent management over the router, undermining any community safety perimeter.
House routers are the gateway to all related gadgets, and these vulnerabilities spotlight the necessity for rigorous enter validation in IoT firmware, as reported by Palo Alto Networks.
Customers of the TOTOLINK X6000R should replace to firmware V9.4.0cu.1498_B20250826 immediately.
Sustaining up-to-date firmware and strong community monitoring stays important to guard towards rising IoT threats.
Observe us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most popular Supply in Google.
