CVE-2025-70329
Received Received - Intake
OS Command Injection in TOTOLink X5000R Lighttpd Allows Root Execution

Publication date: 2026-02-23

Last updated on: 2026-02-24

Assigner: MITRE

Description
TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteSystem function without adequate validation or filtering. This allows an authenticated attacker to execute arbitrary shell commands with root privileges by injecting shell metacharacters into the affected parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70329
EUVD
EUVD-2025-207627
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink x5000r_firmware 9.1.0cu.2415_b20250515
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in TOTOLink X5000R version 9.1.0cu_2415_B20250515 within the setIptvCfg handler of the /usr/sbin/lighttpd executable. It is an OS command injection flaw where certain parameters, such as vlanVidLan1 and other vlanVidLanX, are obtained without proper validation or filtering and then passed to a system function. This allows an authenticated attacker to inject shell metacharacters and execute arbitrary commands with root privileges on the device.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated attacker to execute arbitrary shell commands with root privileges. This means the attacker could take full control of the affected device, potentially leading to unauthorized access, data theft, disruption of services, or further compromise of the network where the device is deployed.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the vulnerable TOTOLink X5000R firmware version and monitoring for suspicious usage of the setIptvCfg handler in the /usr/sbin/lighttpd executable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves injection via the vlanVidLanX parameters, you can look for unusual or unexpected shell metacharacters in requests or configuration parameters related to IPTV settings.'}, {'type': 'list_item', 'content': 'Check the firmware version to confirm if it is v9.1.0cu_2415_B20250515 or earlier.'}, {'type': 'list_item', 'content': 'Monitor logs for calls to /usr/sbin/lighttpd with setIptvCfg handler parameters containing shell metacharacters such as ;, &, |, `, $(), etc.'}, {'type': 'list_item', 'content': 'Example command to check firmware version (if accessible via SSH):\ncat /etc/version'}, {'type': 'list_item', 'content': "Example command to search logs for suspicious commands:\ngrep -E 'setIptvCfg.*[;&|`$()]' /var/log/lighttpd/access.log"}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable setIptvCfg handler and ensuring only trusted authenticated users can access the device.

Additionally, avoid using the vulnerable firmware version and upgrade to a patched version once available.

  • Limit network access to the device management interface to trusted IP addresses.
  • Disable or restrict the use of IPTV configuration features if not needed.
  • Monitor and audit device logs for suspicious activity related to the setIptvCfg handler.
  • Apply firmware updates from TOTOLink when a patch addressing this vulnerability is released.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart