[CVE-ID]
CVE-2025-28017
[PRODUCT]
TOTOLINK
[Vendor of Product]
[VERSION]
V4.1.2cu.5032_B20200408
[Firmware]
https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/166/ids/36.html
[Vulnerability Type]
RCE
[Description]
There is a remote command execution vulnerability in the downloadFile.cgi file of totolink A800R V4.1.2cu.5032_B20200408.This vulnerability allows an attacker to execute arbitrary commands by sending HTTP request.
The QUERY_STRING parameter is user-controllable, allowing users to inject malicious payloads into v24, which is subsequently executed by the system, ultimately leading to remote command execution. Exploitation of this vulnerability does not require authentication.
[POC]
<http://192.168.122.130/cgi-bin/downloadFlile.cgi?payload=123;ls${IFS}/>;