Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.
AnalysisAI
This vulnerability is an OS command injection flaw in the setLanCfg function of TOTOLINK X6000R routers running firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. An authenticated attacker with high privileges can execute arbitrary operating system commands by manipulating the Hostname parameter in /usr/sbin/shttpd, potentially leading to complete device compromise. The vulnerability was disclosed via VulDB submission with proof-of-concept information available through reference ID 352475, though no active exploitation (KEV listing) has been reported.
Technical ContextAI
The vulnerability affects the TOTOLINK X6000R router firmware (CPE: cpe:2.3:a:totolink:x6000r), specifically in the shttpd web server daemon's setLanCfg function. This represents a classic CWE-78 OS command injection vulnerability where user-supplied input (the Hostname parameter) is passed to system shell commands without proper sanitization or validation. The shttpd daemon is a lightweight HTTP server commonly used in embedded router firmware to provide the web-based administration interface. When the setLanCfg function processes LAN configuration requests, it appears to directly incorporate the Hostname value into shell commands, allowing attackers to break out of the intended command context using shell metacharacters and inject arbitrary commands that execute with the privileges of the web server process.
RemediationAI
Check the TOTOLINK vendor website at https://www.totolink.net/ for firmware updates addressing this vulnerability, though no patched version has been explicitly identified in the available references. Until a security patch is released and applied, implement defense-in-depth mitigations: disable remote administration access to the router's web interface, restrict management access to trusted internal networks only using firewall rules or the router's access control features, enforce strong unique administrative passwords, and monitor authentication logs for suspicious login attempts. Consider placing affected devices behind a separate management VLAN isolated from untrusted networks. Organizations should also review VulDB references at https://vuldb.com/?id.352475 and https://vuldb.com/?ctiid.352475 for additional technical details and monitor for vendor patch announcements.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14603
GHSA-56rf-g9gc-682p