CVE-2025-70327

Name of the Vulnerable Software and Affected Versions TOTOLINK X5000R version 9.1.0cu 2415 B20250515

Description The software contains an argument injection flaw in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter, obtained using websGetVar, is passed to a ping command through CsteSystem without proper validation to prevent inputs starting with a hyphen (-). This allows authenticated remote attackers to inject arbitrary command-line options into the ping utility, potentially causing a Denial of Service (DoS) through excessive resource usage or prolonged execution.

Recommendations Update to a newer version that contains a fix for this vulnerability.