Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on factory/reset X5000R V9.1.0u.6369_B20230113 (arbitrary command execution). Earlier versions that share the same implementation, may also be affected.
The attacker sends a specially crafted request to the cstecgi.cgi script, bypassing the authentication mechanism (auth bypass, CWE-863 — improper authorization verification). As a result, the Telnet service is activated on the device. After Telnet is enabled, the attacker can log in to the root account with an empty password, which is the default behavior of the device after factory reset or reboot. The entire attack can be performed remotely, without prior authentication and without user interaction.
The attacker gains full, unauthorized access to the system shell with root privileges, enabling arbitrary command execution, complete device takeover, network configuration modification, and potential use of the router as an entry point to the local network.
Apply patches available from the manufacturer according to the references. Until updates are applied, it is recommended to block access to the device management interface (cstecgi.cgi) from untrusted networks and to disable or restrict Telnet service access at the firewall level. The device should not be directly exposed to the internet.
Totolink X5000R Firmware version V9.1.0u.6369_B20230113. Earlier versions using the same implementation may also be vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTotolink X5000r
HWTotolinkwszystkie wersjeTotolink X5000r Firmware
OSTotolink9.1.0u.6369_b20230113
Related vulnerabilities
TOTOLINK X5000R — argument injection w setDiagnosisCfg prowadzący do DoS
Command injection w TOTOLINK X5000R — podatność RCE przez parametr 'port'
Buffer Overflow w TOTOLINK X5000R i A7000R — RCE przez pole IP
TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a ...
TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a ...