CVE-2025-70329

Name of the Vulnerable Software and Affected Versions TOTOLink X5000R version 9.1.0cu 2415 B20250515

Description The TOTOLink X5000R router firmware contains an OS command injection issue in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters, obtained using Uci Get Str, are passed to the CsteSystem function without sufficient validation. This allows an authenticated attacker to execute arbitrary shell commands with root privileges by injecting shell metacharacters into the affected parameters.

Recommendations Update to a newer version that contains a fix for this vulnerability.