CVE-2025-70327 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 25, 2026
TOTOLINK X5000R - Command Injection
Published: February 23, 2026Updated: February 25, 2026Remote Exploitable
Overview
TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains a command injection caused by improper validation of the ip parameter in setDiagnosisCfg handler of /usr/sbin/lighttpd, letting remote authenticated attackers cause denial of service via injected ping options.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Remote authenticated attackers can cause denial of service by injecting options to the ping command, leading to resource exhaustion or prolonged execution.
Mitigation
Update to the latest version with proper input validation or patch from vendor.
References
Related Resources
Details
- CVE ID
- CVE-2025-70327
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- unconfirmed
CWE
- CWE-400
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H