CVE-2021-27708
CRITICALTOTOLINK X5000R <9.1.0u.6118_B20201102 - Command Injection
Title source: llmDescription
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "command" parameter is directly passed to the attacker, allowing them to control the "command" field to attack the OS.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackmd.io/7FtB06f-SJ-SCfkMYcXYxA
Exploit, Third Party Advisory x_refsource_misc
https://hackmd.io/mDgIBvoxSPCZrZiZjfQGhw
Scores
CVSS v3
9.8
EPSS
0.2015
EPSS Percentile
95.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (2)
totolink/a720r_firmware
4.1.5cu.470_b20200911
totolink/x5000r_firmware
9.1.0u.6118_b20201102
Published
Apr 14, 2021
Tracked Since
Feb 18, 2026