Cyber Posture

CVE-2025-70327

CriticalPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0264 85.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen…

more

(-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of the 'ip' parameter to neutralize argument injection into the ping command executed via CsteSystem.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation to patch the argument injection vulnerability in the setDiagnosisCfg handler.

SC-5 Denial-of-service Protection partial match
prevent

Mitigates the DoS impact from excessive resource consumption or prolonged ping execution caused by injected options.

Security SummaryAI

CVE-2025-70327 is an argument injection vulnerability affecting the TOTOLINK X5000R router running firmware version v9.1.0cu_2415_B20250515. The issue resides in the setDiagnosisCfg handler within the /usr/sbin/lighttpd executable, where the "ip" parameter is retrieved using websGetVar and passed directly to a ping command via CsteSystem without validation for inputs starting with a hyphen (-). This flaw corresponds to CWEs-88 (Improper Neutralization of Argument Delimiters in a Command) and CWE-400 (Uncontrolled Resource Consumption), earning a CVSS v3.1 base score of 9.8 (Critical: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability by supplying a malicious "ip" parameter that injects arbitrary command-line options into the ping utility. Although the description specifies remote authenticated attackers, the CVSS vector indicates no privileges (PR:N) are required. Successful exploitation enables denial-of-service (DoS) conditions through excessive resource consumption or prolonged execution of the ping command.

Advisories detailing the vulnerability, including potential mitigation steps, are available in the referenced reports at https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetDiagnosisCfg/report.md and https://www.notion.so/TOTOLINK-X5000R-SetDiagnosisCfg-2d170566ca7f8098a0bcee9f2a15d40d?source=copy_link. Security practitioners should consult these for vendor-specific patch information or workarounds.

Details

CWE(s)
CWE-88CWE-400

Affected Products

totolink
x5000r firmware
9.1.0cu.2415_b20250515

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Public-facing router web interface vulnerable to unauthenticated argument injection (T1190), enabling DoS via ping resource exhaustion or abuse (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References