Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.0
TOTOLink X5000R: Attacker can run unauthorized system commands
CVE-2025-70329
Summary
If an attacker has access to the TOTOLink X5000R router and can send a specific request to the router's web interface, they may be able to run any system command with administrator privileges. This could potentially allow them to change settings, access sensitive data, or even take control of the router. To protect your network, update the router to the latest firmware version.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| totolink | x5000r_firmware | 9.1.0cu.2415_b20250515 | – |
Original title
TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parame...
Original description
TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteSystem function without adequate validation or filtering. This allows an authenticated attacker to execute arbitrary shell commands with root privileges by injecting shell metacharacters into the affected parameters.
nvd CVSS3.1
8.0
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetIptvCfg/re... Exploit Third Party Advisory
- https://www.notion.so/TOTOLINK-X5000R-SetIptvCfg-2d170566ca7f8027ad47e6b5429025f... Exploit Third Party Advisory
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026