Primary

Context

Totolink N300RH OS Command Injection Vulnerability in Upgrade Function

Vulnerability

A command injection vulnerability has been identified in the Totolink N300RH wireless router, specifically in the firmware version 6.1c.1353_B20190305. The issue resides in the web management interface's 'setUpgradeUboot' function within the 'upgrade.so' file. This vulnerability allows remote attackers to execute arbitrary operating system commands with root privileges. The exploitation does not require authentication or user interaction.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'topicurl' parameter set to 'setUpgradeUboot'. Inject shell metacharacters into the 'FileName' parameter to execute arbitrary commands. The execution can be verified by checking the output of the executed command in a web-accessible file.

Added: Apr 13, 2026, 5:21 AM

Updated: Apr 13, 2026, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

5.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

5.8

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totolink N300RH OS Command Injection Vulnerability in Upgrade Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating