| Title | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 OS Command Injection |
|---|
| Description | The vulnerability is located in the setUpgradeUboot handler within upgrade.so. The web management interface retrieves the user-controlled FileName parameter and passes it into the bootloader upgrade routine. This endpoint can be reached remotely without authentication and does not require user interaction.
The root cause is improper neutralization of externally supplied input before it is embedded into shell command strings. The FileName value is forwarded to mtd_write_bootloader(), where it is inserted directly into command templates and executed through CsteSystem(). Because no sanitization or escaping is applied, shell metacharacters in FileName can terminate the intended command context and inject arbitrary operating system commands. |
|---|
| Source | ⚠️ https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE |
|---|
| User | xuanyu (UID 36103) |
|---|
| Submission | 04/03/2026 16:17 (10 days ago) |
|---|
| Moderation | 04/12/2026 20:06 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 357038 [Totolink N300RH 6.1c.1353_B20190305 upgrade.so setUpgradeUboot FileName os command injection] |
|---|
| Points | 20 |
|---|