Submit #804417: Totolink C834FR-1C NR1800X command injectioninfo

TitleTotolink C834FR-1C NR1800X command injection
DescriptionThe vulnerability exists in the cstecgi.cgi of the TOTOLINK C834FR-1C (NR1800X) firmware version V9.1.0u.6279_B20210910. When the topicurl is setUssd, the program directly concatenates the user-controllable ussd parameter with the cli_atc AT+CUSD=1, \"%s\" > /tmp/.ussd_file command string through snprintf, and calls system to execute it. The vulnerability arises due to the lack of filtering for special characters in the input, leading to command injection. An attacker can exploit this vulnerability by constructing a payload such as " ; echo 'arbitrary command' > /tmp/ussd_success;" in the ussd parameter, by prematurely closing the double quotation marks, injecting a custom command using a semicolon, and commenting out the subsequent part with a hash symbol, thereby executing arbitrary operating system commands on the target device.
Source⚠️ https://github.com/newym/cve/blob/main/totolink%20nr1800x%20command%20injection.md
User
 NEWYM (UID 85144)
Submission04/14/2026 15:39 (3 months ago)
Moderation04/30/2026 21:01 (16 days later)
StatusAccepted
VulDB entry360358 [Totolink NR1800X 9.1.0u.6279_B20210910 /cgi-bin/cstecgi.cgi sub_41A68C setUssd command injection]
Points20

Do you know our Splunk app?

Download it now for free!