EUVD-2026-14603
GHSA-56rf-g9gc-682p
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.
Analysis
This vulnerability is an OS command injection flaw in the setLanCfg function of TOTOLINK X6000R routers running firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. An authenticated attacker with high privileges can execute arbitrary operating system commands by manipulating the Hostname parameter in /usr/sbin/shttpd, potentially leading to complete device compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all TOTOLINK X6000R devices running firmware 9.4.0cu.1360_B20241207 or 9.4.0cu.1498_B20250826 and restrict administrative access to trusted personnel only. Within 7 days: Implement network segmentation to isolate affected routers from critical infrastructure and deploy WAF rules to filter malicious Hostname parameter inputs to /usr/sbin/shttpd. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today