TOTOLINK X6000R Command Injection Vulnerability

A command injection vulnerability has been identified in the TOTOLINK X6000R router, specifically in the firmware version V9.4.0cu.1360_B20241207. The vulnerability arises in the 'sub_417D74' function, where the 'file_name' parameter can be manipulated to execute arbitrary commands. This issue allows unauthenticated attackers to send crafted requests that execute commands on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with a JSON payload that includes a crafted 'file_name' parameter. The payload should be designed to inject commands that will be executed on the device. Once the request is processed, the injected commands will be executed, demonstrating the command injection vulnerability.