Primary

Context

TOTOLINK N600R Command Injection Vulnerability in setWiFiWpsConfig Function

Vulnerability

A command injection vulnerability has been identified in the TOTOLINK N600R router, specifically in version V4.3.0cu.7647_B20210106. The issue arises in the setWiFiWpsConfig function, where the pin parameter is vulnerable to injection attacks.

Impact

Exploitation of this vulnerability allows for command injection, where an attacker can execute arbitrary commands on the device.

Reproduction

The vulnerability can be reproduced by sending a crafted JSON payload to the setWiFiWpsConfig function. The payload must include a pin value that contains the injected command. This can be done using a tool that allows for sending HTTP requests, such as curl or Postman.

Added: Aug 4, 2025, 6:17 PM

Updated: Aug 4, 2025, 6:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

9.1

remediation

0.0

relevance

0.3

threat

6.5

urgency

2.9

incentive

9.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

7.5

exploitability

9.1

remediation

0.0

relevance

0.3

threat

6.5

urgency

2.9

incentive

9.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TOTOLINK N600R Command Injection Vulnerability in setWiFiWpsConfig Function

Vulnerability

Impact

Reproduction

Affected Products

TOTOLINK N600R

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating