CVE-2025-70328

Name of the Vulnerable Software and Affected Versions TOTOLINK X6000R version 9.4.0cu.1498 B20250826

Description The software contains an OS command injection issue in the NTPSyncWithHost handler of the /usr/sbin/shttpd executable. The host time parameter is processed by the sub 40C404 function and passed to a date -s shell command through CsteSystem. While initial tokens of the input are validated, the remaining input is not sanitized, potentially allowing authenticated attackers to execute arbitrary shell commands using shell metacharacters.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the NTPSyncWithHost handler.