Submit #852073: TOTOLINK TOTOLINK X5000R V9.1.0cu.2415_B20250515,V9.1.0cu.2350_B20230313 Pre-authenticated OpenVPN profileinfo

TitleTOTOLINK TOTOLINK X5000R V9.1.0cu.2415_B20250515,V9.1.0cu.2350_B20230313 Pre-authenticated OpenVPN profile
DescriptionTOTOLINK X5000R cstecgi.cgi contains an exportOvpn handler that processes OpenVPN export requests before the normal web token/session authentication path. A remote unauthenticated attacker can request existing OpenVPN user profile files or archives. The handler also concatenates the user-controlled username value into /etc/openvpn/server/user/%s.ovpn or /etc/openvpn/server/user/%s.tar.gz without path normalization or directory boundary checks, allowing ../ traversal to read suffix-matching files outside the OpenVPN user directory. This issue is not submitted as RCE. Current evidence supports pre-authenticated OpenVPN profile/archive disclosure and suffix-constrained path traversal. Vulnerable request forms: /cgi-bin/cstecgi.cgi?exportOvpn&type=user&name=<username>&mode=config /cgi-bin/cstecgi.cgi?exportOvpn&type=user&name=<username>&filetype=gz The firmware parser is position-sensitive: arg0: contains exportOvpn arg1: type=user arg2: username field, for example name=<username> or username=<username> arg3: mode=config or filetype=gz Impact: An unauthenticated attacker can download existing OpenVPN profile files or OpenVPN export archives. If those files contain client certificates, private keys, static keys, server addresses, or reusable VPN credentials, the attacker may obtain VPN access material without logging in to the web interface. The traversal behavior is not a fully arbitrary file read. The file path is constrained by the forced suffix: mode=config appends .ovpn filetype=gz appends .tar.gz Suggested CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5 High CVSS rationale: The vulnerability is remotely reachable over HTTP, requires low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality. The score assumes that OpenVPN profile or archive files contain sensitive VPN access material. If the dependency on generated OpenVPN files is considered a stronger environmental limitation, confidentiality impact may be adjusted downward. Reproduction status: The issue has been reproduced in a local QEMU/chroot CGI harness using the original firmware CGI and libraries. The original firmware samples were not modified. The harness pre-created representative OpenVPN output files in a temporary rootfs to model a configured device runtime state, because firmware images do not include user-generated OpenVPN exports by default. Representative laboratory evidence: exportOvpn&type=user&name=alice&mode=config HTTP/1.1 200 OK OVPN_SECRET_FOR_ALICE exportOvpn&type=user&name=alice&filetype=gz HTTP/1.1 200 OK TARGZ_SECRET_FOR_ALICE exportOvpn&type=user&name=../passwd&mode=config HTTP/1.1 200 OK TRAVERSAL_SECRET exportOvpn&type=user&name=../passwd&filetype=gz HTTP/1.1 200 OK TRAVERSAL_GZ_SECRET Command log from the harness: openvpn-cert build_user alice config openvpn-cert build_user alice gz openvpn-cert build_user ../passwd config openvpn-cert build_user ../passwd gz RCE boundary: Current evidence does not support a command execution claim. Shell metacharacter and URL-encoded metacharacter tests did not produce command execution in the available evidence. Tested categories included semicolon, pipe, backtick, $(), raw LF/CR/tab, URL-encoded metacharacters, and filetype/type parameter injection. Duplicate check: I checked public CVE records and did not find an exact duplicate for the following combination: TOTOLINK X5000R V9.1.0cu.2415_B20250515 / V9.1.0cu.2350_B20230313 + cstecgi.cgi exportOvpn + pre-authenticated OpenVPN profile/archive disclosure + suffix-constrained path traversal. No existing CVE was found that covers this exact combination. Related but not exact duplicate: 1. CVE-2025-14586 This is an exportOvpn command injection affecting TOTOLINK X5000R 9.1.0cu.2089_B20211224. It is related to the same general exportOvpn area, but the public issue is command injection on a different firmware version. The issue reported here is file disclosure and suffix-constrained path traversal verified on V9.1.0cu.2415_B20250515 and V9.1.0cu.2350_B20230313. 2. CVE-2025-13184 This is unauthenticated Telnet enablement via cstecgi.cgi on X5000R V9.1.0u.6369_B20230113. It is a different handler and impact. 3. CVE-2025-9934 This is a cstecgi.cgi command injection in function sub_410C34 via the pid argument affecting V9.1.0cu.2415_B20250515. It is a different function, argument, and impact. References: NVD CVE-2025-14586: https://nvd.nist.gov/vuln/detail/CVE-2025-14586 NVD CVE-2025-13184: https://nvd.nist.gov/vuln/detail/CVE-2025-13184 NVD CVE-2025-9934: https://nvd.nist.gov/vuln/detail/CVE-2025-9934 Suggested remediation: - Move exportOvpn behind the same token/session authentication used by privileged web actions. - Validate usernames with a strict allowlist such as ^[A-Za-z0-9_-]{1,64}$. - Normalize the final path and verify that it remains under /etc/openvpn/server/user/. - Do not allow unauthenticated requests to invoke openvpn-cert build_user. - Avoid system() string concatenation for external commands; use an argument-vector execution API where possible. Disclosure plan: I am requesting coordinated handling and a CVE assignment. I do not plan to publish full exploit details before vendor coordination. A reasonable coordinated disclosure timeline would be 90 days from vendor acknowledgement, unless the vendor requests a different schedule or confirms that a fix is available earlier. Please let me know if additional information, a minimized PoC, packet capture, real-device reproduction, or full-system QEMU reproduction is required.
Source⚠️ https://github.com/meishigana/CVE/tree/main/totolink_x5000r_exportovpn_file_disclosure_2026-06-09
User
 fuhanhan2014 (UID 98832)
Submission06/09/2026 02:18 (1 month ago)
Moderation07/09/2026 08:54 (1 month later)
StatusAccepted
VulDB entry377125 [TOTOLINK X5000R 9.1.0cu.2350_B20230313/9.1.0cu.2415_B20250515 OpenVPN Export /web/cgi-bin/cstecgi.cgi exportOvpn path traversal]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!