CRITICAL🇵🇱 Wersja polska

CVE-2024-52723

CVSS 9.8v3.1pub. 2024-11-22upd. 2026-07-05

In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload.

🤖 AI Analysis
How it works

In the shttpd file of TOTOLINK X6000R firmware, the Uci_Set_Str function processes input data without proper parameter filtering. An attacker can construct a specially crafted payload containing malicious system commands that will be executed by the device without any verification. The vulnerability is accessible remotely over the network without requiring any credentials.

Impact

Attacker gains the ability to execute arbitrary commands with the privileges of the shttpd process on the device, which in practice means complete takeover of the router — violation of confidentiality, integrity and availability of the system.

Mitigation & patch

Security patches available from the manufacturer should be applied in accordance with the references. Until the update is applied, it is recommended to restrict access to the device management interface to trusted IP addresses only and isolate the device from the public Internet.

Who is affected

TOTOLINK X6000R in firmware version V9.4.0cu.1041_B20240224

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Totolink X6000r

    HW
    Totolink
    wszystkie wersje
  • Totolink X6000r Firmware

    OS
    Totolink
    9.4.0cu.1041_b20240224
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2025-11005CRITICAL9.3PL ✓ten sam produkt

OS Command Injection w TOTOLINK X6000R — zdalne wykonanie poleceń

CVE-2025-52906CRITICAL9.3PL ✓ten sam produkt

OS Command Injection w firmware routera TOTOLINK X6000R

CVE-2025-52053CRITICAL9.8PL ✓ten sam produkt

Command injection w TOTOLINK X6000R – zdalne wykonanie kodu bez uwierzytelnienia

CVE-2023-52038CRITICAL9.8PL ✓ten sam produkt

Command Injection w TOTOLINK X6000R — wykonanie dowolnych poleceń

CVE-2023-52039CRITICAL9.8PL ✓ten sam produkt

Command injection w TOTOLINK X6000R umożliwia zdalne wykonanie kodu