CVE-2025-60687
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-13

Last updated on: 2025-11-19

Assigner: MITRE

Description
An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). The binary reads the "imei" parameter from a web request and verifies only that it is 15 characters long. The parameter is then directly inserted into a system command using sprintf() and executed with system(). Maliciously crafted IMEI input can execute arbitrary commands on the router without authentication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-13
Last Modified
2025-11-19
Generated
2026-06-16
AI Q&A
2025-11-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-60687
EUVD
EUVD-2025-175303
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
totolink lr1200gb_firmware 9.1.0u.6619_b20230130
totolink lr1200gb *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated command injection in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130. Specifically, the cstecgi.cgi binary reads the 'imei' parameter from a web request and only checks that it is 15 characters long. It then inserts this parameter directly into a system command using sprintf() and executes it with system(). Because of this, an attacker can craft a malicious IMEI input to execute arbitrary commands on the router without needing to authenticate.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected router without authentication. This can lead to full compromise of the router, including unauthorized access, control over network traffic, potential data interception, disruption of network services, and further attacks on connected devices.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart