CVE-2021-27710

CRITICAL

TOTOLINK X5000R <9.1.0u.6118_B20201102 - Command Injection

Title source: llm

Description

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://hackmd.io/KjXzQdjDRjOuRjoZZXQo_A

Exploit, Third Party Advisory x_refsource_misc

https://hackmd.io/Hy3oVgtcQiuqAtv9FdylHw

Scores

CVSS v3 9.8

EPSS 0.2015

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

totolink/a720r_firmware 4.1.5cu.470_b20200911

totolink/x5000r_firmware 9.1.0u.6118_b20201102

Published Apr 14, 2021

Tracked Since Feb 18, 2026