TOTOLINK X5000R Unauthenticated Telnet Enablement and Root Access Vulnerability

An authentication bypass vulnerability has been identified in the TOTOLINK X5000R AX1800 router, specifically in the firmware version V9.1.0u.6369_B20230113. This vulnerability allows unauthenticated users to enable Telnet access, leading to root login with a blank password. The issue arises from the 'cstecgi.cgi' component, where the authentication check is bypassed, allowing arbitrary command execution with administrative privileges.

Impact

Exploitation of this vulnerability grants full root access to the device, allowing unauthorized users to execute arbitrary commands with administrative privileges. This could lead to modification of system configurations, interception of network traffic, and unauthorized access to other devices on the local network. If the router's management interface is exposed to the wider internet, this vulnerability could be exploited remotely.

Reproduction

To reproduce this vulnerability, send an HTTP request to the '/cgi-bin/cstecgi.cgi' endpoint with the 'action' parameter set to 'telnet', and include the 'enable' parameter set to '1' and the 'code' parameter with the current date in 'MMDDYYYY' format. A blank 'password' parameter should also be included. This request can be made using a tool like curl. Once the Telnet service is enabled, it can be accessed without a password, as the service defaults to granting root access.

Remediation

Currently, there is no firmware patch available from TOTOLINK for this vulnerability. Users are advised to segment the router from untrusted networks, monitor for unexpected Telnet traffic, and consider flashing an alternative firmware such as OpenWrt, which is supported on the X5000R hardware.