TOTOLINK X6000R Improper Input Validation Vulnerability Allowing Flooding

A vulnerability exists in the TOTOLINK X6000R router firmware, specifically in versions through V9.4.0cu.1360_B20241207. This vulnerability is due to improper input validation, which allows an unauthenticated attacker to inject malicious arguments into system commands executed by the device. The lack of proper sanitization enables the injection of command-line options that can be exploited to cause denial-of-service conditions, either locally on the device or remotely against other devices.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition on the affected device or any remote device.

Reproduction

The vulnerability can be reproduced by sending a request to the X6000R router that includes injected arguments in the `setDiagnosisCfg` function. The injected arguments can be crafted to exploit the improper input validation, causing the device to execute commands with the maliciously injected options. This can be done by initiating a network diagnostic command that is vulnerable to argument injection.

Remediation

TOTOLINK has released a patched firmware version. Users can download the latest firmware from the TOTOLINK Download Center.