| Title | TOTOLINK Wi-Fi 6 Router X2000R-Gh-V2.0.0 Insecure Storage of Sensitive Information |
|---|
| Description | An insecure password vulnerability was identified in TOTOLINK Wi-Fi 6 Router series devices running firmware version X2000R-Gh-V2.0.0. The root user account uses a weak password (cracked as "123456" using the John tool). This password is stored in the world-readable file /etc/shadow.sample using MD5-crypt hashing, which can be easily decrypted by tools like John and exploited. For example, it allows unauthorized root access to the device through network-accessible services or the administrative interface. |
|---|
| Source | ⚠️ https://github.com/XXRicardo/iot-cve/blob/main/TOLOLINK/X2000R-Gh-V2.0.0.md |
|---|
| User | lxyilu (UID 88936) |
|---|
| Submission | 08/16/2025 12:31 (10 months ago) |
|---|
| Moderation | 08/28/2025 13:12 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 321691 [TOTOLINK X2000R up to 2.0.0 Administrative Interface /etc/shadow.sample default credentials] |
|---|
| Points | 20 |
|---|