| Título | Totolink X6000R V9.4.0cu.1360_B20241207/V9.4.0cu.1498_B20250826 OS Command Injection |
|---|
| Descrição | A critical vulnerability was found in Totolink X6000R V9.4.0cu.1360_B20241207 and V9.4.0cu.1498_B20250826. The setLanCfg handler in /usr/sbin/shttpd passes the hostname parameter unsanitized into the shell command: echo '%s' > /proc/sys/kernel/hostname. The input validation function at 0x417cb4 fails to block single quote (0x27), double quote (0x22), output redirection (>), and comment character (#). An authenticated attacker can inject hostname=x'+>/etc/crontabs/root+# to escape the quoted context, redirect output to arbitrary files, and achieve persistent Remote Code Execution via cron job injection. This vulnerability is distinct from CVE-2025-52905/52906/52907 which target different handlers (setDiagnosisCfg/setTracerouteCfg) using a different attack vector. |
|---|
| Utilizador | 1935648903 (UID 91849) |
|---|
| Submissão | 09/03/2026 10h03 (há 21 dias) |
|---|
| Moderação | 23/03/2026 06h44 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 352475 [TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826 /usr/sbin/shttpd setLanCfg Nome do host Elevação de Privilégios] |
|---|
| Pontos | 17 |
|---|