Home / Vulnerability Intelligence / CVE-2025-70328

CVE-2025-70328 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 25, 2026

TOTOLINK X6000R - OS Command Injection

Published: February 23, 2026Updated: February 25, 2026Remote Exploitable

Overview

TOTOLINK X6000R v9.4.0cu.1498_B20250826 contains an OS command injection caused by improper sanitization of the host_time parameter in NTPSyncWithHost handler of /usr/sbin/shttpd, letting authenticated attackers execute arbitrary shell commands via shell metacharacters.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated attackers can execute arbitrary shell commands, potentially leading to full system compromise.

Mitigation

Update to the latest version or apply vendor patches addressing this vulnerability.

References

https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X6000R/NTPSyncWihtHost/report.md
https://www.notion.so/TOTOLINK-X6000R-NTPSyncWithHost-2d170566ca7f803a8096c1b31b2ed42f?source=copy_link

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-70328
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: unconfirmed

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H