Skip to main content

X6000R EUVDEUVD-2026-14603

| CVE-2026-4611 HIGH
OS Command Injection (CWE-78)
2026-03-23 VulDB GHSA-56rf-g9gc-682p
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 21:30 euvd
EUVD-2026-14603
Analysis Generated
Mar 23, 2026 - 21:30 vuln.today
CVE Published
Mar 23, 2026 - 21:13 nvd
HIGH 8.6

DescriptionCVE.org

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.

AnalysisAI

This vulnerability is an OS command injection flaw in the setLanCfg function of TOTOLINK X6000R routers running firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. An authenticated attacker with high privileges can execute arbitrary operating system commands by manipulating the Hostname parameter in /usr/sbin/shttpd, potentially leading to complete device compromise. The vulnerability was disclosed via VulDB submission with proof-of-concept information available through reference ID 352475, though no active exploitation (KEV listing) has been reported.

Technical ContextAI

The vulnerability affects the TOTOLINK X6000R router firmware (CPE: cpe:2.3:a:totolink:x6000r), specifically in the shttpd web server daemon's setLanCfg function. This represents a classic CWE-78 OS command injection vulnerability where user-supplied input (the Hostname parameter) is passed to system shell commands without proper sanitization or validation. The shttpd daemon is a lightweight HTTP server commonly used in embedded router firmware to provide the web-based administration interface. When the setLanCfg function processes LAN configuration requests, it appears to directly incorporate the Hostname value into shell commands, allowing attackers to break out of the intended command context using shell metacharacters and inject arbitrary commands that execute with the privileges of the web server process.

RemediationAI

Check the TOTOLINK vendor website at https://www.totolink.net/ for firmware updates addressing this vulnerability, though no patched version has been explicitly identified in the available references. Until a security patch is released and applied, implement defense-in-depth mitigations: disable remote administration access to the router's web interface, restrict management access to trusted internal networks only using firewall rules or the router's access control features, enforce strong unique administrative passwords, and monitor authentication logs for suspicious login attempts. Consider placing affected devices behind a separate management VLAN isolated from untrusted networks. Organizations should also review VulDB references at https://vuldb.com/?id.352475 and https://vuldb.com/?ctiid.352475 for additional technical details and monitor for vendor patch announcements.

Share

EUVD-2026-14603 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy