Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
TOTOLINK X5000R Router: Uncontrolled Command Injection
CVE-2025-70327
Summary
A security issue in the TOTOLINK X5000R router could allow an attacker to cause the device to crash or run slowly by sending a special request to the device. This is a risk because it could make it hard to use the router or access the internet. To fix this, update the router's software to the latest version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| totolink | x5000r_firmware | 9.1.0cu.2415_b20250515 | – |
Original title
TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVa...
Original description
TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen (-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.
nvd CVSS3.1
9.8
Vulnerability type
CWE-88
CWE-400
Uncontrolled Resource Consumption
- https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetDiagnosisC... Exploit Third Party Advisory
- https://www.notion.so/TOTOLINK-X5000R-SetDiagnosisCfg-2d170566ca7f8098a0bcee9f2a... Exploit Third Party Advisory
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026