CVE-2026-15204
Received Received - Intake

Path Traversal in TOTOLINK X5000R Firmware

Vulnerability report for CVE-2026-15204, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulDB

Description

A vulnerability was detected in TOTOLINK X5000R 9.1.0cu.2415_B20250515/9.1.0cu.2350_B20230313. Affected by this vulnerability is the function exportOvpn of the file /web/cgi-bin/cstecgi.cgi of the component OpenVPN Export. The manipulation results in path traversal. The attack may be launched remotely.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
totolink x5000r From 9.1.0cu.2415_B20250515 (inc)
totolink x5000r From 9.1.0cu.2350_B20230313 (inc)
totolink x5000r 9.1.0cu.2415_b20250515
totolink x5000r 9.1.0cu.2350_b20230313

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access OpenVPN user profile files or archives containing sensitive VPN credentials such as certificates, private keys, or server addresses. This unauthorized access could lead to exposure of sensitive personal or organizational data transmitted over the VPN.

Such exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access. If attackers exploit this vulnerability to gain unauthorized VPN access, it could result in data breaches violating these standards.

Executive Summary

CVE-2026-15204 is a pre-authenticated file disclosure vulnerability in TOTOLINK X5000R routers, specifically in firmware versions 9.1.0cu.2415_B20250515 and 9.1.0cu.2350_B20230313. The flaw exists in the exportOvpn function of the /web/cgi-bin/cstecgi.cgi component, which handles OpenVPN exports.

An attacker can remotely exploit this vulnerability by manipulating the username parameter with path traversal sequences (../) to access OpenVPN user profile files or archives without authentication.

The vulnerability is limited by forced file suffixes: .ovpn for mode=config and .tar.gz for filetype=gz, but if these files contain sensitive VPN credentials such as certificates, private keys, or server addresses, unauthorized VPN access could be gained.

Impact Analysis

This vulnerability can allow an unauthenticated remote attacker to access sensitive OpenVPN configuration files containing VPN credentials.

If the attacker obtains certificates, private keys, or server addresses from these files, they could gain unauthorized access to the VPN network, potentially bypassing authentication controls.

Such unauthorized access could lead to data exposure, network intrusion, or further exploitation within the protected network.

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal in the exportOvpn function of the /web/cgi-bin/cstecgi.cgi endpoint on TOTOLINK X5000R routers running affected firmware versions.

A typical detection method involves sending HTTP requests that manipulate the username parameter with path traversal sequences (../) to try to access OpenVPN user profile files or archives.

Example curl commands to test for the vulnerability include:

  • curl -v "http://<router-ip>/web/cgi-bin/cstecgi.cgi?exportOvpn&username=../../../../etc/passwd&mode=config"
  • curl -v "http://<router-ip>/web/cgi-bin/cstecgi.cgi?exportOvpn&username=../../../../etc/passwd&filetype=gz"

If the response contains OpenVPN configuration files or archives, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the router's web interface from untrusted networks to prevent remote exploitation.
  • Apply any available firmware updates from TOTOLINK that address this vulnerability.
  • If no patch is available, consider disabling the OpenVPN export functionality or restricting its usage.
  • Monitor network traffic for suspicious requests targeting /web/cgi-bin/cstecgi.cgi with unusual username parameters.

These steps help reduce the risk of unauthorized access through the path traversal vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart