CVE-2025-70327
Command Injection in TOTOLINK X5000R Ping Causes DoS
Publication date: 2026-02-23
Last updated on: 2026-02-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | x5000r_firmware | 9.1.0cu.2415_b20250515 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in TOTOLINK X5000R version 9.1.0cu_2415_B20250515 within the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable.
Specifically, the ip parameter is obtained via websGetVar and then passed to a ping command through CsteSystem without checking if the input starts with a hyphen (-).
This lack of validation allows remote authenticated attackers to inject arbitrary command-line options into the ping utility.
As a result, attackers can manipulate the ping command execution, potentially causing Denial of Service (DoS) by making the system consume excessive resources or run the ping command for an extended period.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition on the affected device.
By injecting arbitrary command-line options into the ping utility, an attacker can cause excessive resource consumption or prolonged execution of the ping command.
This may result in degraded device performance, unavailability of network diagnostic functions, or even complete service disruption on the TOTOLINK X5000R router.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves an argument injection in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable, where the ip parameter is passed unchecked to the ping command. Detection can focus on monitoring for unusual or malformed ping command executions initiated by the lighttpd process.'}, {'type': 'paragraph', 'content': 'You can check for suspicious usage of the ping command by examining process executions or logs for commands starting with a hyphen (-) in the ip parameter or unusual command-line options passed to ping.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': "Use process monitoring tools like 'ps' or 'top' to look for ping commands spawned by lighttpd: ps aux | grep lighttpd"}, {'type': 'list_item', 'content': 'Check system logs or web server logs for requests to the setDiagnosisCfg handler that include suspicious ip parameters starting with a hyphen (-).'}, {'type': 'list_item', 'content': 'Use command auditing tools like auditd to monitor executions of /usr/sbin/lighttpd and ping commands.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable setDiagnosisCfg handler to trusted users only, as the vulnerability requires remote authenticated access.
Additionally, monitor and limit the input passed to the ip parameter to ensure it does not start with a hyphen (-), preventing injection of arbitrary command-line options.
If possible, disable or restrict the use of the ping command by the lighttpd process or apply firewall rules to limit access to the affected service.
Finally, check for and apply any available firmware or software updates from TOTOLINK that address this vulnerability.