TOTOLINK X6000R OS Command Injection Vulnerability in NTP Synchronization Handler

A command injection vulnerability has been identified in the TOTOLINK X6000R router, specifically in the firmware version 9.4.0cu.1498_B20250826. The issue resides within the NTP synchronization feature, where the 'host_time' parameter is improperly validated. Although the first two tokens of the input are checked, the remaining string is passed to a shell command without adequate sanitization. This flaw allows authenticated attackers to execute arbitrary commands on the device via shell metacharacters, potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the potential for full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a crafted request to the NTP synchronization handler. The 'host_time' parameter should be formatted to include shell metacharacters, bypassing the initial token validation and injecting a command to be executed on the system.