Primary

Context

TOTOLINK N600R and X2000R FTP Service Least Privilege Violation Vulnerability

Vulnerability

A critical misconfiguration vulnerability has been identified in TOTOLINK N600R and X2000R devices running version 1.0.0.1. The issue arises in the FTP service configuration file vsftpd.conf, where the chown_uploads property is enabled but the necessary chown_username property is not explicitly set, defaulting to root. This flaw allows remote attackers with anonymous FTP access to upload files that are automatically owned by the root user, potentially leading to unauthorized root-level control over the device.

Impact

Exploitation of this vulnerability could allow remote attackers with anonymous FTP access to gain root-level control over the affected device.

Added: Jul 26, 2025, 7:17 AM

Updated: Jul 26, 2025, 7:17 AM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

4.9

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

4.9

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TOTOLINK N600R and X2000R FTP Service Least Privilege Violation Vulnerability

Vulnerability

Impact

Affected Products

TOTOLINK N600R

TOTOLINK X2000R

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating