CVE-2015-9551

CRITICAL

TOTOLINK A850R-V1 < 1.0.1-b20150707.1612 & F1-V2 < 2.1.1-b20150708.1646 - RCE via formSysCmd sysCmd

Title source: llm

Description

An issue was discovered on TOTOLINK A850R-V1 through 1.0.1-B20150707.1612 and F1-V2 through 1.1-B20150708.1646 devices. There is Remote Code Execution in the management interface via the formSysCmd sysCmd parameter.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html

Scores

CVSS v3 9.8

EPSS 0.0737

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (8)

totolink/a850r-v1_firmware < 1.0.1-b20150707.1612

totolink/f1-v2_firmware < 2.1.1-b20150708.1646

totolink/f2-v1_firmware < 2.1.0-b20150320.1611

totolink/n150rt-v2_firmware < 2.1.1-b20150708.1548

totolink/n151rt-v2_firmware < 1.1-b20150708.1559

totolink/n300rh-v2_firmware < 2.0.1-b20150708.1625

totolink/n300rh-v3_firmware < 3.0.0-b20150331.0858

totolink/n300rt-v2_firmware < 2.1.1-b20150708.1613

Published Nov 24, 2020

Tracked Since Feb 18, 2026