Critical Flaw CVE-2025-52906 (CVSS 9.3) Allows Unauthenticated RCE on TOTOLINK X6000R Routers

Researchers from Unit 42, Palo Alto Networks’ threat intelligence team, have disclosed three newly discovered vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207. These flaws could allow attackers to crash devices, execute arbitrary commands without authentication, or achieve persistent remote code execution (RCE).

CVE-2025-52905: Argument Injection

The first flaw, rated High severity (CVSS 7.0), is an argument injection vulnerability. Unit 42 explains that although the firmware includes an input sanitization function, “this function’s blocklist fails to filter the hyphen character (-), creating a High argument injection vulnerability across multiple components.”

Attackers could exploit this flaw to trigger a denial-of-service (DoS), crashing the router or overwhelming remote servers.

CVE-2025-52906: Unauthenticated Command Injection

The most severe issue, CVE-2025-52906, is rated Critical (CVSS 9.3). The vulnerability lies in the setEasyMeshAgentCfg function, which fails to validate the agentName parameter. As Unit 42 notes, “This vulnerability does not require authentication, meaning any attacker who can reach the router’s web interface can exploit it.”

If successfully exploited, attackers could execute arbitrary commands with root privileges, enabling them to:

• Intercept network traffic
• Pivot to other devices on the same network
• Install persistent malware

CVE-2025-52907: Security Bypass and Arbitrary File Write

The third vulnerability, CVE-2025-52907, is another High severity flaw (CVSS 7.3). It allows attackers to bypass incomplete input checks to manipulate system files.

The report explains: “This vulnerability allows for an arbitrary file write by bypassing the same user-input confidence check, enabling an unauthenticated attacker to escalate their attack.”

With this capability, adversaries could corrupt system files, modify /etc/passwd to create new users, or alter boot scripts for persistent RCE.

Widespread Impact and Mitigation

TOTOLINK, a global manufacturer of consumer networking devices, has a wide installation base. As Unit 42 warns, “The widespread adoption of these products makes their security a critical area of focus.”

Fortunately, TOTOLINK has already issued a fix. Users should upgrade their X6000R routers to firmware V9.4.0cu.1498_B20250826 immediately to secure their devices.

Related Posts:

• RustoBot Botnet Exploits Router Flaws in Sophisticated Attacks
• US/UK warn Russia to hack into global routers
• Hackers use Cisco Router flaws to attack Iran, 3,500 routers hacked
• Intel didn’t disclose U.S. Government about CPU flaws until vulnerabilities went public