In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload.
In the shttpd file of TOTOLINK X6000R firmware, the Uci_Set_Str function processes input data without proper parameter filtering. An attacker can construct a specially crafted payload containing malicious system commands that will be executed by the device without any verification. The vulnerability is accessible remotely over the network without requiring any credentials.
Attacker gains the ability to execute arbitrary commands with the privileges of the shttpd process on the device, which in practice means complete takeover of the router — violation of confidentiality, integrity and availability of the system.
Security patches available from the manufacturer should be applied in accordance with the references. Until the update is applied, it is recommended to restrict access to the device management interface to trusted IP addresses only and isolate the device from the public Internet.
TOTOLINK X6000R in firmware version V9.4.0cu.1041_B20240224
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTotolink X6000r
HWTotolinkwszystkie wersjeTotolink X6000r Firmware
OSTotolink9.4.0cu.1041_b20240224
Related vulnerabilities
OS Command Injection w TOTOLINK X6000R — zdalne wykonanie poleceń
OS Command Injection w firmware routera TOTOLINK X6000R
Command injection w TOTOLINK X6000R – zdalne wykonanie kodu bez uwierzytelnienia
Command Injection w TOTOLINK X6000R — wykonanie dowolnych poleceń
Command injection w TOTOLINK X6000R umożliwia zdalne wykonanie kodu