TOTOLINK X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_417D74 function via the file_name parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
The vulnerability occurs in the sub_417D74 function, where the file_name parameter is not properly validated or sanitized before being passed to an interpreted system command (CWE-77). An attacker can craft a special network request containing a malicious payload in the file_name parameter, which causes embedded commands to be executed with the privileges of the process handling the request. The attack requires no authentication or user interaction, and the network interface is directly accessible over the network.
An attacker gains the ability to remotely execute arbitrary system commands on the device, which may lead to complete takeover of the router, leakage of configuration data, modification of network traffic, or use of the device as an entry point for further lateral movement in the network.
Apply patches available from the manufacturer according to the references. Until the update is applied, it is recommended to restrict access to the device's administrative interface only from trusted IP addresses and isolate the device from unprotected network segments.
TOTOLINK X6000R with firmware version V9.4.0cu.1360_B20241207
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTotolink X6000r
HWTotolinkwszystkie wersjeTotolink X6000r Firmware
OSTotolink9.4.0cu.1360_b20241207
Related vulnerabilities
OS Command Injection w TOTOLINK X6000R — zdalne wykonanie poleceń
OS Command Injection w firmware routera TOTOLINK X6000R
Command injection w TOTOLINK X6000R — zdalne wykonanie poleceń bez uwierzytelnienia
Command Injection w TOTOLINK X6000R — wykonanie dowolnych poleceń
Command injection w TOTOLINK X6000R umożliwia zdalne wykonanie kodu