Home / Vulnerability Intelligence / CVE-2025-70329

CVE-2025-70329 - Vulnerability Analysis

HighCVSS: 8.0

Last Updated: February 24, 2026

TOTOLink X5000R - Command Injection

Published: February 23, 2026Updated: February 24, 2026PoC Available

Overview

TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection caused by inadequate validation of vlanVidLanX parameters in setIptvCfg handler of /usr/sbin/lighttpd, letting authenticated attackers execute arbitrary shell commands with root privileges.

Severity & Score

Severity: High

CVSS Score: 8.0

EPSS Score: 42.9%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary commands as root, leading to full system compromise.

Mitigation

Update to the latest version with proper input validation or apply vendor patches.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 23, 2026

🟠 CVE-2025-70329 - High (8) TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to t... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-70329/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-70329
Severity: High
CVSS Score: 8.0
Type: command_injection
Status: confirmed
EPSS: 42.9%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

42.9%Probability of exploitation in the next 30 days