CVE-2025-70327
EUVD-2025-20762123.02.2026, 21:19
TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen (-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| totolink | x5000r_firmware | 9.1.0cu.2415_b20250515:cu.2415_b20250515 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.