Description

TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteSystem function without adequate validation or filtering. This allows an authenticated attacker to execute arbitrary shell commands with root privileges by injecting shell metacharacters into the affected parameters.

INFO

Published Date :

2026-02-23T00:00:00.000Z

Last Modified :

2026-02-23T19:35:36.476Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-70329 vulnerability.

Vendors Products
Totolink
  • X5000r
  • X5000r Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-70329.

URL Resource
https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetIptvCfg/report.md cve-icon cve-icon
https://www.notion.so/TOTOLINK-X5000R-SetIptvCfg-2d170566ca7f8027ad47e6b5429025fc?source=copy_link cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact