| Title | TOTOLINK X5000R v9.1.0cu.2089_B20211224 RCE |
|---|
| Description | TOTOLINK X5000R firmware v9.1.0cu.2089_B20211224 contains an OS command injection vulnerability in the cstecgi.cgi component, in the exportOvpn handler.
The parameter "user" is passed into snprintf() and invoked by system() without sanitization, allowing remote attackers to execute arbitrary commands on the device.
In function main(), the value of parameter "user" is taken from the query string via getNthValueSafe(), then formatted into:
snprintf(v55, 256, "openvpn-cert build_user %s config", v49);
followed by:
system(v55);
Because v49 is not validated nor escaped, an attacker can inject shell meta-characters.
|
|---|
| Source | ⚠️ https://github.com/awigwu76/TOTOLINK_X5000R/blob/main/1.md |
|---|
| User | awigwu76 (UID 91463) |
|---|
| Submission | 12/03/2025 07:32 (4 months ago) |
|---|
| Moderation | 12/12/2025 15:55 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 336206 [TOTOLINK X5000R 9.1.0cu.2089_B20211224 cstecgi.cgi?action=exportOvpn&type=user snprintf User os command injection] |
|---|
| Points | 20 |
|---|