Details of VAR-202511-2063

ID

VAR-202511-2063

CVE

CVE-2025-60683

TITLE

TOTOLINK A720R Command Injection Vulnerability (CNVD-2025-29711)

Trust: 0.6

sources: CNVD: CNVD-2025-29711

DESCRIPTION

A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface reinitialization from '/var/system/linux_vlan_reinit'. Input is only partially validated by checking the prefix of interface names, and is concatenated into shell commands executed via system() without escaping. An attacker with write access to this file can execute arbitrary commands on the device. The TOTOLINK A720R is a wireless router launched by TOTOLINK, a Chinese electronics company. It features dual-band Wi-Fi and emphasizes high-speed network and signal coverage. The TOTOLINK A720R contains a command injection vulnerability. This vulnerability stems from insufficient validation in the sysconf binary's handling of the `/var/system/linux_vlan_reinit` file. Detailed vulnerability information is currently unavailable

Trust: 1.44

sources: NVD: CVE-2025-60683 // CNVD: CNVD-2025-29711

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-29711

AFFECTED PRODUCTS

vendor:	totolink	model:	a720r	scope:	eq	version:	4.1.5cu.614_b20230630	Trust: 1.0
vendor:	totolink	model:	a720r v4.1.5cu.614 b20230630	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2025-29711 // NVD: CVE-2025-60683

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60683
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2025-29711
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-29711
severity:	MEDIUM
baseScore:	6.4
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60683
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0

sources: CNVD: CNVD-2025-29711 // NVD: CVE-2025-60683

PROBLEMTYPE DATA

problemtype:

CWE-77

Trust: 1.0

sources: NVD: CVE-2025-60683

EXTERNAL IDS

db:	NVD	id:	CVE-2025-60683	Trust: 1.6
db:	CNVD	id:	CNVD-2025-29711	Trust: 0.6

sources: CNVD: CNVD-2025-29711 // NVD: CVE-2025-60683

REFERENCES

url:	https://github.com/yifan20020708/sgtaint-0-day/blob/main/totolink/totolink-a720r/cve-2025-60683.md	Trust: 1.0
url:	http://totolink.com	Trust: 1.0
url:	https://www.totolink.net/	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-60683	Trust: 0.6

sources: CNVD: CNVD-2025-29711 // NVD: CVE-2025-60683

SOURCES

db:	CNVD	id:	CNVD-2025-29711
db:	NVD	id:	CVE-2025-60683

LAST UPDATE DATE

2025-12-19T22:50:29.257000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-29711	date:	2025-12-03T00:00:00
db:	NVD	id:	CVE-2025-60683	date:	2025-11-17T19:16:33.620

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-29711	date:	2025-12-02T00:00:00
db:	NVD	id:	CVE-2025-60683	date:	2025-11-13T16:15:52.213