Description

TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen (-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.

INFO

Published Date :

2026-02-23T00:00:00.000Z

Last Modified :

2026-02-25T14:32:59.975Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-70327 vulnerability.

Vendors Products
Totolink
  • X5000r
  • X5000r Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-70327.

URL Resource
https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetDiagnosisCfg/report.md cve-icon cve-icon
https://www.notion.so/TOTOLINK-X5000R-SetDiagnosisCfg-2d170566ca7f8098a0bcee9f2a15d40d?source=copy_link cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact