TOTOLINK X5000R CVE-2025-14586
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
OS command injection in TOTOLINK X5000R firmware 9.1.0cu.2089_B20211224 allows authenticated remote attackers to execute arbitrary system commands via the User parameter in the /cgi-bin/cstecgi.cgi exportOvpn function. The vulnerability requires valid login credentials but results in complete system compromise once authenticated. Public exploit code is available, and the CVSS score of 2.1 significantly underrepresents the true risk due to the low-impact scoring parameters masking the severity of unauthenticated command execution in a network-accessible management interface.
Technical ContextAI
The vulnerability resides in the TOTOLINK X5000R router's web-based management interface, specifically in the cstecgi.cgi CGI script which handles VPN configuration export functionality. The snprintf function in the exportOvpn action improperly sanitizes the User parameter before passing it to an OS command execution context, violating CWE-77 (Improper Neutralization of Special Elements used in a Command). The affected firmware version is 9.1.0cu.2089_B20211224, which is identified by CPE as a TOTOLINK X5000R device. The attack leverages the fact that the CGI script constructs shell commands using unsanitized user input without proper escaping or validation.
RemediationAI
TOTOLINK has not released a patched firmware version for the X5000R at the time of this analysis based on available data. Immediate mitigation requires restricting network access to the router's web management interface by enabling firewall rules to allow only trusted administrator IP addresses to reach the device's HTTPS port (typically 443), reducing the attack surface to authenticated users on controlled networks only. Additionally, enforce strong, unique administrative credentials and disable remote management access if not required for operational needs. Monitor the TOTOLINK official website (https://www.totolink.net/) for security updates, as the vendor advisory has not yet published a confirmed patch version. Organizations should consider upgrading to a newer firmware version if available from TOTOLINK, or replacing the affected device if no patch is forthcoming within a reasonable timeframe.
More in X5000r Firmware
View allTOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/s
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function. Rated
Argument injection in TOTOLINK X5000R router v9.1.0cu via setDiagnosisCfg handler allows unauthenticated remote code exe
TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' param
Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022, allow remote
A vulnerability was found in Totolink X5000R 9.1.0cu.2300_B20230112. Rated critical severity (CVSS 9.8), this vulnerabil
TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack over
TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack over
TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack over
TOTOLINK X5000R B20210419 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg
TOTOLINK X5000R_V9.1.0cu.2089_B20211224 and X5000R_V9.1.0cu.2350_B20230313 were discovered to contain a remote code exec
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a command insertion vulnerability in setDiagn
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today