Sign-up

ID

VAR-202511-0549


CVE

CVE-2025-60682


TITLE

TOTOLINK  of  A720R  Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-019456

DESCRIPTION

A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud update parameters. User-supplied 'magicid' and 'url' values are directly concatenated into shell commands and executed via system() without any sanitization or escaping. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device. TOTOLINK of A720R Firmware contains a command injection vulnerability.Information may be obtained and information may be tampered with. The TOTOLINK A720R is a wireless router launched by TOTOLINK, a Chinese electronics company. It features dual-band Wi-Fi and emphasizes high-speed network and signal coverage. This vulnerability stems from the unverified magicid and url parameters in the cloudupdate_check binary file. Detailed vulnerability information is currently unavailable

Trust: 2.16

sources: NVD: CVE-2025-60682 // JVNDB: JVNDB-2025-019456 // CNVD: CNVD-2025-29710

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2025-29710

AFFECTED PRODUCTS

vendor:totolinkmodel:a720rscope:eqversion:4.1.5cu.614_b20230630

Trust: 1.0

vendor:totolinkmodel:a720rscope:eqversion:a720r firmware 4.1.5cu.614 b20230630

Trust: 0.8

vendor:totolinkmodel:a720rscope: - version: -

Trust: 0.8

vendor:totolinkmodel:a720rscope:eqversion: -

Trust: 0.8

vendor:totolinkmodel:a720r v4.1.5cu.614 b20230630scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2025-29710 // JVNDB: JVNDB-2025-019456 // NVD: CVE-2025-60682

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2025-60682
value: MEDIUM

Trust: 1.0

OTHER: JVNDB-2025-019456
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2025-29710
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2025-29710
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0: CVE-2025-60682
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.1

Trust: 1.0

OTHER: JVNDB-2025-019456
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2025-29710 // JVNDB: JVNDB-2025-019456 // NVD: CVE-2025-60682

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:Command injection (CWE-77) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2025-019456 // NVD: CVE-2025-60682

EXTERNAL IDS

db:NVDid:CVE-2025-60682

Trust: 3.2

db:JVNDBid:JVNDB-2025-019456

Trust: 0.8

db:CNVDid:CNVD-2025-29710

Trust: 0.6

sources: CNVD: CNVD-2025-29710 // JVNDB: JVNDB-2025-019456 // NVD: CVE-2025-60682

REFERENCES

url:https://github.com/yifan20020708/sgtaint-0-day/blob/main/totolink/totolink-a720r/cve-2025-60682.md

Trust: 1.8

url:https://www.totolink.net/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2025-60682

Trust: 1.4

url:http://totolink.com

Trust: 1.0

sources: CNVD: CNVD-2025-29710 // JVNDB: JVNDB-2025-019456 // NVD: CVE-2025-60682

SOURCES

db:CNVDid:CNVD-2025-29710
db:JVNDBid:JVNDB-2025-019456
db:NVDid:CVE-2025-60682

LAST UPDATE DATE

2025-12-19T22:54:53.529000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2025-29710date:2025-12-03T00:00:00
db:JVNDBid:JVNDB-2025-019456date:2025-11-19T07:35:00
db:NVDid:CVE-2025-60682date:2025-11-17T19:16:58.540

SOURCES RELEASE DATE

db:CNVDid:CNVD-2025-29710date:2025-12-02T00:00:00
db:JVNDBid:JVNDB-2025-019456date:2025-11-19T00:00:00
db:NVDid:CVE-2025-60682date:2025-11-13T16:15:52.080