FAIL › dossier
· dossier confidence 20%
TOTOLINK is a private networking vendor with a history of critical security failures, including multiple remote code execution and authentication bypass vulnerabilities in router firmware.
TOTOLINK demonstrates a high frequency of critical security vulnerabilities, with a pattern of unpatched command injection and RCE flaws in firmware across multiple product lines.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2024-11-22 | CVE-2024-52723 | critical | ⚡RCE | 50 | In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload. |
| 2023-12-30 | CVE-2023-50651 | critical | ⚡RCE | 50 | TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via the component /cgi-bin/cstecgi.cgi. |
| 2023-06-06 | CVE-2023-31569 | critical | ⚡RCE | 50 | TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function. |
| 2023-05-18 | CVE-2023-31729 | critical | ⚡RCE | 50 | TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi. |
| 2022-06-02 | CVE-2021-42875 | critical | ⚡RCE | 50 | TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in the function setDiagnosisCfg of the file lib/cste_modules/system.so to control the ipDoamin. |
| 2022-06-02 | CVE-2021-42872 | critical | ⚡RCE | 50 | TOTOLINK EX1200T V4.1.2cu.5215 is affected by a command injection vulnerability that can remotely execute arbitrary code. |
| 2022-03-30 | CVE-2021-46007 | critical | ⚡RCE | 50 | totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks. |
| 2022-03-11 | CVE-2021-44620 | critical | ⚡RCE | 50 | A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters. |
| 2025-08-13 | CVE-2025-51452 | critical | 35 | In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm. | |
| 2025-08-13 | CVE-2025-51451 | critical | 35 | In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm. | |
| 2023-09-25 | CVE-2023-43141 | critical | 35 | TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control. | |
| 2022-08-29 | CVE-2022-32993 | critical | 35 | TOTOLINK A7000R V4.1cu.4134 was discovered to contain an access control issue via /cgi-bin/ExportSettings.sh. | |
| 2022-03-30 | CVE-2021-46009 | critical | 35 | In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. |
Open questions: Totolink's current patch management process for firmware updates · Whether Totolink products are used in CMMC-eligible environments