Critical remote code execution vulnerabilities reported in TOTOLINK X6000R routers
Take action: If you have a TOTOLINK X6000R router, make sure it's isolated from the internet and accessible only from trusted networks. Then plan a quick update to firmware version V9.4.0cu.1498_B20250826 from the official TOTOLINK website. Also change your router's default admin password to something strong and unique, and turn off remote management unless you absolutely need it.
Learn More
Security researchers from Palo Alto Networks Unit 42 are reporting three serious vulnerabilities in the TOTOLINK X6000R router firmware. The flaws allow unauthenticated attackers to execute arbitrary commands, manipulate system files, and trigger denial-of-service conditions on affected devices.
Vulnerabilities summary:
- CVE-2025-52906 (CVSS score 9.3), is a Critical severity unauthenticated command injection vulnerability in the setEasyMeshAgentCfg function that allows remote attackers to execute arbitrary commands on the device without any authentication requirements.
- CVE-2025-52907 (CVSS score 7.3), is a High severity security bypass vulnerability affecting multiple components including the setWizardCfg function, enabling attackers to corrupt system files, achieve arbitrary file writes, and potentially establish persistent remote code execution through chained exploitation techniques.
- CVE-2025-52905 (CVSS score 7.0) is an argument injection vulnerability that enables attackers to trigger denial-of-service conditions by crashing the router or overwhelming remote servers through crafted topicurl parameter values.
The three discovered vulnerabilities affect the router's web management interface endpoint /cgi-bin/cstecgi.cgi that serves as the central processing hub for configuration and operational requests. The root cause of all three vulnerabilities stems from an incomplete character blocklist in the firmware's sanitization function, which critically omits the hyphen character from its filtering routine. This creates multiple attack vectors that unauthenticated adversaries can exploit to compromise router security and potentially gain access to entire networks.
Affected versions of the TOTOLINK X6000R router include all firmware releases up to and including version V9.4.0cu.1360_B20241207, which was distributed to customers on March 28, 2025.
TOTOLINK has worked collaboratively with security researchers to address these vulnerabilities and has released corrected firmware version V9.4.0cu.1498_B20250826.
Users of affected routers are strongly advised to upgrade immediately to the patched firmware version available through the official TOTOLINK download portal. Default router credentials should be changed immediately to strong, unique passwords for web administration interfaces, as many attacks begin by exploiting unchanged factory default credentials. Remote management features should be disabled if not explicitly required for legitimate purposes, as they expand the attack surface accessible from the internet.
