Researchers from Unit 42, Palo Alto Networks’ threat intelligence team, have disclosed three newly discovered in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207. These could allow attackers to crash devices, execute arbitrary commands without authentication, or achieve persistent remote code execution (RCE).
CVE-2025-52905: Argument Injection
The first , rated High severity (CVSS 7.0), is an argument injection . Unit 42 explains that although the firmware includes an input sanitization function, “this function’s blocklist fails to filter the hyphen character (-), creating a High argument injection across multiple components.”
Attackers could exploit this to trigger a denial-of-service (DoS), crashing the router or overwhelming remote servers.
CVE-2025-52906: Unauthenticated Command Injection
The most severe issue, CVE-2025-52906, is rated Critical (CVSS 9.3). The vulnerability lies in the setEasyMeshAgentCfg function, which fails to validate the agentName parameter. As Unit 42 notes, “This vulnerability does not require authentication, meaning any attacker who can reach the router’s web interface can exploit it.”
If successfully exploited, attackers could execute arbitrary commands with root privileges, enabling them to:
- Intercept network traffic
- Pivot to other devices on the same network
- Install persistent malware
CVE-2025-52907: Bypass and Arbitrary File Write
The third vulnerability, CVE-2025-52907, is another High severity flaw (CVSS 7.3). It allows attackers to bypass incomplete input checks to manipulate system files.
The report explains: “This vulnerability allows for an arbitrary file write by bypassing the same user-input confidence check, enabling an unauthenticated attacker to escalate their attack.”
With this capability, adversaries could corrupt system files, modify /etc/passwd to create new users, or alter boot scripts for persistent RCE.
Widespread Impact and Mitigation
TOTOLINK, a global manufacturer of consumer networking devices, has a wide installation base. As Unit 42 warns, “The widespread adoption of these products makes their a critical area of focus.”
Fortunately, TOTOLINK has already issued a fix. Users should upgrade their X6000R routers to firmware V9.4.0cu.1498_B20250826 immediately to secure their devices.
