OS Command Injection Vulnerability in TOTOLINK X6000R Router
CVE-2025-52906

9.3CRITICAL

Key Information:

Vendor: Totolink
Status: X6000r
Vendor: CVE Published:; 24 September 2025

What is CVE-2025-52906?

A vulnerability in the TOTOLINK X6000R router allows for OS command injection due to improper neutralization of special elements. This flaw could enable attackers to execute arbitrary commands on the system, potentially compromising the integrity and security of the device and connected networks. Users are advised to update their firmware to the latest version to mitigate any risks associated with this vulnerability.

Affected Version(s)

X6000R 0

References

https://www.totolink.net/home/menu/detail/menu_listtpl/do...

https://github.com/PaloAltoNetworks/u42-vulnerability-dis...

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Jun 21, 2025

JSON

Totolink

What is CVE-2025-52906?

Affected Version(s)

References

CVSS V4

Timeline