CVE-2022-25084

Name of the Vulnerable Software and Affected Versions TOTOLink T6 version V5.9c.4085 B20190428

Description The issue is related to the lack of input data sanitization in the "Main" function of the TOTOLink T6 mesh system's firmware. This allows a remote attacker to execute arbitrary commands through the QUERY STRING parameter.

Recommendations For TOTOLink T6 version V5.9c.4085 B20190428, consider disabling the "Main" function until a patch is available to prevent exploitation via the QUERY STRING parameter. Restrict access to the vulnerable function to minimize the risk of arbitrary command execution. Avoid using the QUERY STRING parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.