TOTOLink X5000R OS Command Injection Vulnerability in Lighttpd IPTV Configuration Handler

A command injection vulnerability has been identified in the TOTOLink X5000R router, specifically in version 9.1.0cu_2415_B20250515. The issue arises within the 'setIptvCfg' handler of the '/usr/sbin/lighttpd' executable, where parameters related to VLAN configuration are improperly validated before being passed to a system command execution function. This flaw allows authenticated attackers to execute arbitrary commands with root privileges by injecting shell metacharacters into the vulnerable parameters.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with root privileges on the affected device.

Reproduction

The vulnerability can be reproduced by sending an authenticated HTTP POST request to the 'setIptvCfg' endpoint. The 'vlanVidLan1' parameter (or other 'vlanVidLanX' parameters) should be crafted to include shell metacharacters, such as semicolons, to inject and execute commands on the device. This can be done using a tool like Burp Suite to intercept and modify the request payload.