Primary

Context

TOTOLINK N300RH Command Injection Vulnerability in CloudACMunualUpdateUserdata Function

Vulnerability

A critical command injection vulnerability has been identified in the TOTOLINK N300RH router, specifically in the firmware version 6.1c.1390_B20191101. The issue arises in the '/cgi-bin/cstecgi.cgi' file, where the 'url' argument can be manipulated to execute arbitrary commands. This vulnerability can be exploited remotely, without authorization.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/cgi-bin/cstecgi.cgi' endpoint, targeting the 'CloudACMunualUpdateUserdata' function. Include a crafted 'url' argument that exploits the command injection flaw. The request can be made without any authentication.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.5

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TOTOLINK N300RH Command Injection Vulnerability in CloudACMunualUpdateUserdata Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating