Three critical security flaws were discovered in firmware version V9.4.0cu.1360_B20241207 of the TOTOLINK X6000R router released on March 28, 2025.
These vulnerabilities range from argument injection and command injection to a security bypass that can lead to remote code execution.
Attackers can crash devices, corrupt system files, and execute arbitrary commands without authentication.
Users must update immediately to the fixed firmware release (V9.4.0cu.1498_B20250826) to protect their networks.
Overview of the Vulnerabilities
| CVE Identifier | Rating | CVSS-B Score | Description |
| CVE-2025-52905 | High | 7.0 | Argument injection flaw that can crash the router or overwhelm external servers, resulting in denial of service. |
| CVE-2025-52906 | Critical | 9.3 | Unauthenticated command injection allowing remote execution of arbitrary commands on the device. |
| CVE-2025-52907 | High | 7.3 | Security bypass enabling arbitrary file writes, persistent denial-of-service, or chainable remote code execution exploits. |
Technical Analysis of Argument Injection – CVE-2025-52905
The firmware’s central web interface endpoint, /cgi-bin/cstecgi.cgi, processes user inputs based on a topicurl parameter.
CVE-2025-52905 stems from an incomplete input validation function that blocks dangerous characters but omits the hyphen (–).
This oversight allows malicious payloads to bypass filtering. Attackers can send crafted requests that inject arguments into system calls, crashing the device or redirecting operations to external servers.
Exploitation requires only network access to the router’s web UI, making mass scanning and automated attacks trivial for threat actors.
Unauthenticated Command Injection Impact – CVE-2025-52906
CVE-2025-52906 exists in the setEasyMeshAgentCfg function, which configures mesh agent settings. The function fails to sanitize the agentName parameter, enabling unauthenticated attackers to insert shell commands.
When executed by the web server process, these commands run with elevated privileges. A successful exploit can install persistent malware, intercept network traffic, or pivot to other devices within the user’s environment.
This vulnerability represents a critical lapse in input sanitization and authentication controls.
Security Bypass Leading to RCE – CVE-2025-52907
CVE-2025-52907 leverages the same flawed sanitization logic in the setWizardCfg function. By crafting inputs that avoid the blocklist, attackers can perform arbitrary file writes.
Critical system files such as /etc/passwd can be modified to add new accounts, and boot scripts can be altered to guarantee remote code execution on restart.
This chainable exploit enables persistent control over the router, undermining any network security perimeter.
Home routers are the gateway to all connected devices, and these vulnerabilities highlight the need for rigorous input validation in IoT firmware, as reported by Palo Alto Networks.
Users of the TOTOLINK X6000R must update to firmware V9.4.0cu.1498_B20250826 without delay.
Maintaining up-to-date firmware and robust network monitoring remains essential to protect against emerging IoT threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
