CVE-2025-70329
OS Command Injection in TOTOLink X5000R Lighttpd Allows Root Execution
Publication date: 2026-02-23
Last updated on: 2026-02-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | x5000r_firmware | 9.1.0cu.2415_b20250515 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in TOTOLink X5000R version 9.1.0cu_2415_B20250515 within the setIptvCfg handler of the /usr/sbin/lighttpd executable. It is an OS command injection flaw where certain parameters, such as vlanVidLan1 and other vlanVidLanX, are obtained without proper validation or filtering and then passed to a system function. This allows an authenticated attacker to inject shell metacharacters and execute arbitrary commands with root privileges on the device.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an authenticated attacker to execute arbitrary shell commands with root privileges. This means the attacker could take full control of the affected device, potentially leading to unauthorized access, data theft, disruption of services, or further compromise of the network where the device is deployed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the vulnerable TOTOLink X5000R firmware version and monitoring for suspicious usage of the setIptvCfg handler in the /usr/sbin/lighttpd executable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves injection via the vlanVidLanX parameters, you can look for unusual or unexpected shell metacharacters in requests or configuration parameters related to IPTV settings.'}, {'type': 'list_item', 'content': 'Check the firmware version to confirm if it is v9.1.0cu_2415_B20250515 or earlier.'}, {'type': 'list_item', 'content': 'Monitor logs for calls to /usr/sbin/lighttpd with setIptvCfg handler parameters containing shell metacharacters such as ;, &, |, `, $(), etc.'}, {'type': 'list_item', 'content': 'Example command to check firmware version (if accessible via SSH):\ncat /etc/version'}, {'type': 'list_item', 'content': "Example command to search logs for suspicious commands:\ngrep -E 'setIptvCfg.*[;&|`$()]' /var/log/lighttpd/access.log"}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable setIptvCfg handler and ensuring only trusted authenticated users can access the device.
Additionally, avoid using the vulnerable firmware version and upgrade to a patched version once available.
- Limit network access to the device management interface to trusted IP addresses.
- Disable or restrict the use of IPTV configuration features if not needed.
- Monitor and audit device logs for suspicious activity related to the setIptvCfg handler.
- Apply firmware updates from TOTOLink when a patch addressing this vulnerability is released.