X6000r Firmware

x6000r_firmware

Vendor: Totolink • 57 CVEs

CVEs (57)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-4611 1Totolink 1X6000r Firmware Apr 3, 2026 Mar 23, 2026 8.6 HIGH· v4 8.8 HIGH· v3 8.3 HIGH· v2 A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can...Show more A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.Show less
CVE-2025-70328 1Totolink 1X6000r Firmware Feb 26, 2026 Feb 23, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 TOTOLINK X6000R v9.4.0cu.1498_B20250826 contains an OS command injection vulnerability in the NTPSyncWithHost handler of the /usr/sbin/shttpd executable. The host_time parameter is retrieved via sub_40C404 and passed to...Show more TOTOLINK X6000R v9.4.0cu.1498_B20250826 contains an OS command injection vulnerability in the NTPSyncWithHost handler of the /usr/sbin/shttpd executable. The host_time parameter is retrieved via sub_40C404 and passed to a date -s shell command through CsteSystem. While the first two tokens of the input are validated, the remainder of the string is not sanitized, allowing authenticated attackers to execute arbitrary shell commands via shell metacharacters.Show less
CVE-2025-11005 1Totolink 1X6000r Firmware Oct 16, 2025 Sep 25, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708.
CVE-2025-52907 1Totolink 1X6000r Firmware Oct 14, 2025 Sep 24, 2025 7.3 HIGH· v4 8.8 HIGH· v3 N/A· v2 Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207.
CVE-2025-52906 1Totolink 1X6000r Firmware Oct 14, 2025 Sep 24, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1360_B20241207.
CVE-2025-52905 1Totolink 1X6000r Firmware Oct 8, 2025 Sep 23, 2025 7.0 HIGH· v4 7.5 HIGH· v3 N/A· v2 Improper Input Validation vulnerability in TOTOLINK X6000R allows Flooding.This issue affects X6000R: through V9.4.0cu.1360_B20241207.
CVE-2025-52053 1Totolink 1X6000r Firmware Sep 20, 2025 Sep 15, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_417D74 function via the file_name parameter. This vulnerability allows unauthenticated attackers to execute arbitr...Show more TOTOLINK X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_417D74 function via the file_name parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.Show less
CVE-2025-52284 1Totolink 1X6000r Firmware Sep 15, 2025 Jul 29, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Totolink X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary com...Show more Totolink X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.Show less
CVE-2025-25524 1Totolink 1X6000r Firmware Apr 29, 2025 Feb 11, 2025 N/A· v4 5.1 MEDIUM· v3 N/A· v2 Buffer overflow vulnerability in TOTOLink X6000R routers V9.4.0cu.652_B20230116 due to the lack of length verification, which is related to the addition of Wi-Fi filtering rules. Attackers who successfully exploit this v...Show more Buffer overflow vulnerability in TOTOLink X6000R routers V9.4.0cu.652_B20230116 due to the lack of length verification, which is related to the addition of Wi-Fi filtering rules. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands.Show less
CVE-2024-52723 1Totolink 1X6000r Firmware Mar 13, 2025 Nov 22, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload.
CVE-2024-7907 1Totolink 1X6000r Firmware Aug 19, 2024 Aug 18, 2024 5.3 MEDIUM· v4 9.8 CRITICAL· v3 6.5 MEDIUM· v2 A vulnerability, which was classified as critical, has been found in TOTOLINK X6000R 9.4.0cu.852_20230719. This issue affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument r...Show more A vulnerability, which was classified as critical, has been found in TOTOLINK X6000R 9.4.0cu.852_20230719. This issue affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument rtLogServer leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-2353 1Totolink 1X6000r Firmware Dec 16, 2024 Mar 10, 2024 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_20230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The man...Show more A vulnerability, which was classified as critical, has been found in Totolink X6000R 9.4.0cu.852_20230719. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation of the argument ip leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256313 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-1781 1Totolink 1X6000r Firmware Apr 1, 2025 Feb 23, 2024 N/A· v4 9.8 CRITICAL· v3 5.8 MEDIUM· v2 A vulnerability was found in Totolink X6000R AX3000 9.4.0cu.852_20230719. It has been rated as critical. This issue affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipula...Show more A vulnerability was found in Totolink X6000R AX3000 9.4.0cu.852_20230719. It has been rated as critical. This issue affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component shttpd. The manipulation leads to command injection. The exploit has been disclosed to the public and may be used. The identifier VDB-254573 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-1661 1Totolink 1X6000r Firmware Nov 21, 2024 Feb 20, 2024 N/A· v4 5.5 MEDIUM· v3 1.0 LOW· v2 A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded crede...Show more A vulnerability classified as problematic was found in Totolink X6000R 9.4.0cu.852_B20230719. Affected by this vulnerability is an unknown functionality of the file /etc/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254179. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-52040 1Totolink 1X6000r Firmware Nov 21, 2024 Jan 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function.
CVE-2023-52039 1Totolink 1X6000r Firmware May 30, 2025 Jan 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function.
CVE-2023-52038 1Totolink 1X6000r Firmware May 30, 2025 Jan 24, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function.
CVE-2023-52042 1Totolink 1X6000r Firmware Nov 21, 2024 Jan 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in sub_4117F8 function in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the 'lang' parameter.
CVE-2023-52041 1Totolink 1X6000r Firmware Jun 17, 2025 Jan 16, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue discovered in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary code via the sub_410118 function of the shttpd program.
CVE-2023-50651 1Totolink 1X6000r Firmware Apr 17, 2025 Dec 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via the component /cgi-bin/cstecgi.cgi.

12 3 Next