COOEY // HUBcompliance · community · intelligence

FAIL › dossier

totolink vendor

· dossier confidence 20%

TOTOLINK is a private networking vendor with a history of critical security failures, including multiple remote code execution and authentication bypass vulnerabilities in router firmware.

13
failure events
0
zero-days
8
RCEs
0
on KEV
13
critical
50
worst shame

Profile

Category
vendor
What they do
TOTOLINK is a global networking equipment manufacturer specializing in consumer-grade routers, gateways, and IoT devices for residential and small business markets.
Website
https://www.totolink.com

Security posture

TOTOLINK demonstrates a high frequency of critical security vulnerabilities, with a pattern of unpatched command injection and RCE flaws in firmware across multiple product lines.

Notable failures
  • CVE-2024-52723: Critical RCE in X6000R shttpd
  • CVE-2023-50651: Critical RCE in X6000R cgi-bin
  • CVE-2023-31569: Critical Command Injection in X5000R
  • CVE-2021-42875: Critical RCE in EX1200T
  • CVE-2025-51452: Critical Login Bypass in A7000R
Patterns
Repeated unpatched edge-device RCEs; Command injection via CGI scripts; Authentication bypass vulnerabilities

Failure history 13 events

DateEventSevFlagsShameSummary
2024-11-22 CVE-2024-52723 critical ⚡RCE 50 In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload.
2023-12-30 CVE-2023-50651 critical ⚡RCE 50 TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via the component /cgi-bin/cstecgi.cgi.
2023-06-06 CVE-2023-31569 critical ⚡RCE 50 TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function.
2023-05-18 CVE-2023-31729 critical ⚡RCE 50 TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi.
2022-06-02 CVE-2021-42875 critical ⚡RCE 50 TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin.
2022-06-02 CVE-2021-42872 critical ⚡RCE 50 TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code.
2022-03-30 CVE-2021-46007 critical ⚡RCE 50 totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.
2022-03-11 CVE-2021-44620 critical ⚡RCE 50 A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters.
2025-08-13 CVE-2025-51452 critical 35 In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
2025-08-13 CVE-2025-51451 critical 35 In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm.
2023-09-25 CVE-2023-43141 critical 35 TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control.
2022-08-29 CVE-2022-32993 critical 35 TOTOLINK A7000R V4.1cu.4134 was discovered to contain an access control issue via /cgi-bin/ExportSettings.sh.
2022-03-30 CVE-2021-46009 critical 35 In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.

Dossier sources

Open questions: Totolink's current patch management process for firmware updates · Whether Totolink products are used in CMMC-eligible environments