CVE-2025-60702

Name of the Vulnerable Software and Affected Versions TOTOLINK A950RG Router firmware versions V5.9c.4592 B20191022 ALL

Description A command injection issue exists in the TOTOLINK A950RG Router firmware. The setDiagnosisCfg function retrieves the ipDoamin parameter from user input via websGetVar and incorporates it into a ping system command executed via CsteSystem() without proper sanitization. An unauthenticated remote attacker can leverage this to execute arbitrary commands on the device by sending crafted HTTP requests to the router's web interface. The vulnerable component is the system.so binary.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the setDiagnosisCfg function. Avoid using the ipDoamin parameter in HTTP requests to the router's web interface until the issue is resolved.