CVE-2025-70328

CVE-2025-70328 is an OS command injection vulnerability affecting the TOTOLINK X6000R router running firmware version v9.4.0cu.1498_B20250826. The issue resides in the NTPSyncWithHost handler within the /usr/sbin/shttpd executable, where the host_time parameter is retrieved via sub_40C404 and passed unsanitized to a date -s shell command through CsteSystem. Although the first two tokens of the input are validated, the remainder of the string lacks sanitization, enabling the injection of shell metacharacters to execute arbitrary commands. The vulnerability is associated with CWE-78 (OS Command Injection) and CWE-94 (Improper Control of Generation of Code), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It was published on 2026-02-23.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting a malicious host_time parameter, they can inject shell metacharacters beyond the validated tokens, leading to arbitrary shell command execution on the device. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full compromise of the router.

Advisories detailing the vulnerability, including potential mitigation guidance, are available in the following references: https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X6000R/NTPSyncWihtHost/report.md and https://www.notion.so/TOTOLINK-X6000R-NTPSyncWithHost-2d170566ca7f803a8096c1b31b2ed42f?source=copy_link.