Sign-up

ID

VAR-202506-0021


CVE

CVE-2025-5504


TITLE

TOTOLINK X2000R peerRptPin parameter command injection vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-12166

DESCRIPTION

A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. The manipulation of the argument peerRptPin leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. TOTOLINK X2000R is a wireless router from China's TOTOLINK Electronics. TOTOLINK X2000R has a command injection vulnerability, which is caused by the failure of the peerRptPin parameter to properly filter special characters and commands in constructing commands. No detailed vulnerability details are currently available

Trust: 1.44

sources: NVD: CVE-2025-5504 // CNVD: CNVD-2025-12166

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-12166

AFFECTED PRODUCTS

vendor:totolinkmodel:x2000r 1.0.0-b20230726.1108scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-12166

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2025-5504
value: MEDIUM

Trust: 1.0

CNVD: CNVD-2025-12166
value: MEDIUM

Trust: 0.6

cna@vuldb.com: CVE-2025-5504
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2025-12166
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2025-5504
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 3.4
version: 3.1

Trust: 1.0

sources: CNVD: CNVD-2025-12166 // NVD: CVE-2025-5504

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.0

problemtype:CWE-77

Trust: 1.0

sources: NVD: CVE-2025-5504

EXTERNAL IDS

db:NVDid:CVE-2025-5504

Trust: 1.6

db:VULDBid:310918

Trust: 1.0

db:CNVDid:CNVD-2025-12166

Trust: 0.6

sources: CNVD: CNVD-2025-12166 // NVD: CVE-2025-5504

REFERENCES

url:https://github.com/fizz-is-on-the-way/iot_vuls/blob/main/x2000r/rce_formwsc/rce_formwsc.md

Trust: 1.6

url:https://vuldb.com/?submit.584660

Trust: 1.0

url:https://vuldb.com/?id.310918

Trust: 1.0

url:https://vuldb.com/?ctiid.310918

Trust: 1.0

url:https://www.totolink.net/

Trust: 1.0

sources: CNVD: CNVD-2025-12166 // NVD: CVE-2025-5504

SOURCES

db:CNVDid:CNVD-2025-12166
db:NVDid:CVE-2025-5504

LAST UPDATE DATE

2025-06-14T23:09:41.203000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-12166date:2025-06-11T00:00:00
db:NVDid:CVE-2025-5504date:2025-06-04T14:54:33.783

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-12166date:2025-06-11T00:00:00
db:NVDid:CVE-2025-5504date:2025-06-03T15:16:00.533