CVE-2025-1339
Published: 16 February 2025
Description
A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been rated as critical. This issue affects the function setL2tpdConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1339 is an OS command injection vulnerability (CWE-77, CWE-78) in TOTOLINK X18 routers running firmware version 9.1.0cu.2024_B20220329. The flaw affects the setL2tpdConfig function in the /cgi-bin/cstecgi.cgi file, where manipulation of the "enable" argument enables arbitrary command execution. Rated as critical by some sources with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it was published on 2025-02-16.
The vulnerability is exploitable remotely by an authenticated attacker with low privileges. Exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the underlying operating system.
VulDB advisories and a GitHub repository detail the issue, confirming public disclosure of an exploit that may be actively used. TOTOLINK was contacted early regarding the vulnerability but provided no response, and no patches or mitigations are mentioned on their website or in referenced submissions.
Details
- CWE(s)