Submit #735695: TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injectioninfo

TitleTOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection
DescriptionIn the LR350 V9.3.5u.6369_B20220309 firmware has a command injection vulnerability in the setDiagnosisCfg function. The Var variable receives the ip parameter from a POST request. However, since the user can control the input of ip, the doSystem can cause a command injection vulnerability.
Source⚠️ https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link
User
 wxhwxhwxh_mie (UID 66748)
Submission01/10/2026 03:53 AM (1 month ago)
Moderation01/18/2026 02:55 PM (8 days later)
StatusAccepted
VulDB entry341742 [Totolink LR350 9.3.5u.6369_B20220309 POST Request /cgi-bin/cstecgi.cgi setDiagnosisCfg ip command injection]
Points15

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!