CVE-2022-25078

Name of the Vulnerable Software and Affected Versions TOTOLink A3600R version 4.1.2cu.5182 B20201102

Description The issue is related to a command injection vulnerability in the "Main" function of the TOTOLink A3600R router's firmware. This vulnerability is caused by the lack of input data sanitization, allowing attackers to execute arbitrary commands via the QUERY STRING parameter.

Recommendations For TOTOLink A3600R version 4.1.2cu.5182 B20201102, consider restricting access to the "Main" function until a patch is available. As a temporary workaround, avoid using the QUERY STRING parameter in affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.