Command Injection Vulnerability in TOTOLINK A950RG Router Firmware
CVE-2025-60702

6.5MEDIUM

Key Information:

Vendor

TOTOLINK
Status
A950RG Router
Vendor
CVE Published:
13 November 2025

What is CVE-2025-60702?

A command injection vulnerability has been identified in the firmware of the TOTOLINK A950RG Router. Specifically, the vulnerability resides in the system.so binary, where the setDiagnosisCfg function inadequately handles the ipDomain parameter, sourced from user input via websGetVar. This leads to the parameter being directly concatenated to a ping system command via CsteSystem(), without any input sanitization. An unauthenticated remote attacker could exploit this flaw by sending carefully crafted HTTP requests to the router's web interface, allowing for the execution of arbitrary commands on the device, thereby posing a significant risk to network integrity and user data.

References

https://www.totolink.net/
https://github.com/yifan20020708/SGTaint-0-day/blob/main/...
https://github.com/yifan20020708/SGTaint-0-day/blob/main/...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-60702 : Command Injection Vulnerability in TOTOLINK A950RG Router Firmware