| Title | TOTOLINK N600R V4.3.0 Misconfiguration |
|---|
| Description | In TOTOLink N600R V4.3.0 devices, there is a misconfiguration vulnerability. The configuration file vsftpd.conf enables the chown_uploads property but does not explicitly set the required chown_username property which defaults to root. This results in a critical security flaw where all files uploaded anonymously via FTP are automatically owned by the root user. It allows remote attackers with anonymous FTP access to gain root-level control over the devices. |
|---|
| Source | ⚠️ https://www.notion.so/23a54a1113e780c08f3acca6a746d732 |
|---|
| User | TPCchecker (UID 88315) |
|---|
| Submission | 07/24/2025 18:37 (9 months ago) |
|---|
| Moderation | 07/25/2025 10:22 (16 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 317595 [TOTOLINK N600R/X2000R 1.0.0.1 FTP Service vsftpd.conf least privilege violation] |
|---|
| Points | 17 |
|---|