| Title | Totolink X6000R V9.4.0cu.1360_B20241207/V9.4.0cu.1498_B20250826 OS Command Injection |
|---|
| Description | A critical vulnerability was found in Totolink X6000R V9.4.0cu.1360_B20241207 and V9.4.0cu.1498_B20250826. The setLanCfg handler in /usr/sbin/shttpd passes the hostname parameter unsanitized into the shell command: echo '%s' > /proc/sys/kernel/hostname. The input validation function at 0x417cb4 fails to block single quote (0x27), double quote (0x22), output redirection (>), and comment character (#). An authenticated attacker can inject hostname=x'+>/etc/crontabs/root+# to escape the quoted context, redirect output to arbitrary files, and achieve persistent Remote Code Execution via cron job injection. This vulnerability is distinct from CVE-2025-52905/52906/52907 which target different handlers (setDiagnosisCfg/setTracerouteCfg) using a different attack vector. |
|---|
| User | 1935648903 (UID 91849) |
|---|
| Submission | 03/09/2026 10:03 (21 days ago) |
|---|
| Moderation | 03/23/2026 06:44 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352475 [TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826 /usr/sbin/shttpd setLanCfg Hostname os command injection] |
|---|
| Points | 17 |
|---|