CVE-2025-60702 is a command injection vulnerability identified in the TOTOLINK A950RG router firmware version V5.9c.4592_B20191022_ALL. The flaw exists within the system.so binary, specifically in the setDiagnosisCfg function, which handles diagnostic configuration via the router’s web interface. The vulnerability stems from improper input handling: the function retrieves the ipDoamin parameter from user input using websGetVar and directly concatenates this input into a system ping command executed by CsteSystem() without any sanitization or validation. This lack of input sanitization allows an unauthenticated remote attacker to inject arbitrary shell commands by crafting malicious HTTP requests targeting the router’s web interface. Exploiting this vulnerability could enable attackers to execute arbitrary commands on the device, potentially leading to unauthorized control, data leakage, or pivoting within the network. The CVSS v3.1 base score is 6.5, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality and integrity but not availability. No patches or firmware updates are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command).

For European organizations, this vulnerability poses a moderate risk primarily to network infrastructure relying on TOTOLINK A950RG routers. Successful exploitation could allow attackers to execute arbitrary commands remotely without authentication, potentially compromising router integrity and confidentiality of network traffic. This could lead to unauthorized network access, interception or manipulation of data, and use of the compromised router as a foothold for further attacks within the corporate network. While availability impact is low, the breach of confidentiality and integrity could have significant consequences, especially for organizations handling sensitive or regulated data. The risk is heightened in environments where these routers are deployed at network perimeters or in less monitored segments. Given the lack of known exploits, the immediate threat may be limited, but the ease of exploitation and unauthenticated nature make it a critical concern for proactive defense.

Immediate mitigation should focus on restricting access to the router’s web interface by limiting it to trusted management networks or VPNs, and disabling remote management if not required. Network-level protections such as firewall rules to block unauthorized HTTP requests to the router’s management interface can reduce exposure. Monitoring network traffic for unusual or suspicious HTTP requests targeting the router’s web interface parameters can help detect exploitation attempts. Since no official patches are currently available, organizations should engage with TOTOLINK support for firmware updates or advisories. As a longer-term measure, consider replacing vulnerable devices with routers from vendors with stronger security track records and timely patch management. Additionally, implement network segmentation to isolate critical assets from devices with known vulnerabilities and maintain up-to-date inventories of network hardware to identify affected devices quickly.