TOTOLINK X5000R Argument Injection Vulnerability in Lighttpd Ping Command Handler

A vulnerability allowing argument injection has been identified in the TOTOLINK X5000R router, specifically in version 9.1.0cu_2415_B20250515. The issue arises in the 'setDiagnosisCfg' handler of the 'lighttpd' executable, where the 'ip' parameter is taken from user input and passed to a ping command without proper validation. This flaw enables remote authenticated attackers to inject arbitrary command-line options into the ping utility. Exploitation of this vulnerability could lead to a denial-of-service condition by causing excessive resource usage or prolonged command execution, potentially disrupting the router's performance or overwhelming connected networks.

Impact

Exploitation of this vulnerability can cause the router to hang or reboot, tying up system resources and processes. Additionally, it can generate excessive traffic to remote hosts or upstream networks, further exacerbating the denial-of-service condition.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/cgi-bin/cstecgi.cgi' endpoint with the 'topicurl' parameter set to 'setDiagnosisCfg'. The 'ip' parameter can be crafted to include option-like arguments, such as those starting with a hyphen, which will be injected into the ping command executed by the router. After the command is executed, the router may experience degraded performance or disruption, depending on the injected options.