TOTOLINK X6000R Routers Hit by Three Vulnerabilities Allowing Remote Code Execution
gbhackersThree critical security flaws were discovered in firmware version V9.4.0cu.1360_B20241207 of the TOTOLINK X6000R router released on March 28, 2025.
These vulnerabilities range from argument injection and command injection to a security bypass that can lead to remote code execution.
Attackers can crash devices, corrupt system files, and execute arbitrary commands without authentication.
Users must update immediately to the fixed firmware release (V9.4.0cu.1498_B20250826) to protect their networks.
Overview of the Vulnerabilities
| CVE Identifier | Rating | CVSS-B Score | Description |
| CVE-2025-52905 | High | 7.0 | Argument injection flaw that can crash the router or overwhelm external servers, resulting in denial of service. |
| CVE-2025-52906 | Critical | 9.3 | Unauthenticated command injection allowing remote execution of arbitrary commands on the device. |
| CVE-2025-52907 | High | 7.3 | Security bypass enabling arbitrary file writes, persistent denial-of-service, or chainable remote code execution exploits. |
Technical Analysis of Argument Injection – CVE-2025-52905
The firmware’s central web interface ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE