Totolink X5000r Firmware — known CVE vulnerabilities
Every CVE whose affected-product data names Totolink X5000r Firmware, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (70)
CVE-2023-30013 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg…
CVE-2021-27710 — CVSS 9.8 (critical): Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware…
CVE-2021-45733 — CVSS 9.8 (critical): TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This…
CVE-2025-70327 — CVSS 9.8 (critical): TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the…
CVE-2025-13184 — CVSS 9.8 (critical): Unauthenticated Telnet enablement via cstecgi.cgi (auth bypass) leading to unauthenticated root login with a blank password on…
CVE-2021-45738 — CVSS 9.8 (critical): TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function UploadFirmwareFile. This…
CVE-2022-26213 — CVSS 9.8 (critical): Totolink X5000R_Firmware v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function setNtpCfg, via…
CVE-2022-27003 — CVSS 9.8 (critical): Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection…
CVE-2022-27004 — CVSS 9.8 (critical): Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection…
CVE-2022-27005 — CVSS 9.8 (critical): Totolink routers s X5000R V9.1.0u.6118_B20201102 and A7000R V9.1.0u.6115_B20201022 were discovered to contain a command injection…
CVE-2023-31569 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function.
CVE-2023-33486 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setOpModeCfg. This…
CVE-2023-33487 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a command insertion vulnerability in setDiagnosisCfg.This…
CVE-2023-36947 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the File…
CVE-2023-36950 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the…
CVE-2023-39617 — CVSS 9.8 (critical): TOTOLINK X5000R_V9.1.0cu.2089_B20211224 and X5000R_V9.1.0cu.2350_B20230313 were discovered to contain a remote code execution (RCE)…
CVE-2023-39618 — CVSS 9.8 (critical): TOTOLINK X5000R B20210419 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg interface.
CVE-2023-45984 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the lang…
CVE-2024-28639 — CVSS 9.8 (critical): Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022, allow remote attackers to…
CVE-2024-32353 — CVSS 9.8 (critical): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'port' parameter in the…
CVE-2021-27708 — CVSS 9.8 (critical): Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware…
CVE-2024-42747 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setWanIeCfg…
CVE-2024-57021 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eHour" parameter in…
CVE-2024-57020 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sMinute" parameter in…
CVE-2024-57019 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "limit" parameter in…
CVE-2024-57011 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "minute" parameters in…
CVE-2024-57018 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in…
CVE-2024-57017 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "pass" parameter in…
CVE-2024-32350 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the…
CVE-2024-32351 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the…
CVE-2024-32352 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the…
CVE-2024-57012 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in…
CVE-2024-42745 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setUPnPCfg…
CVE-2024-42748 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setWiFiWpsCfg…
CVE-2024-57016 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "user" parameter in…
CVE-2024-34921 — CVSS 8.8 (high): TOTOLINK X5000R v9.1.0cu.2350_B20230313 was discovered to contain a command injection via the disconnectVPN function.
CVE-2024-57022 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "sHour" parameter in…
CVE-2024-57013 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "switch" parameter in…
CVE-2024-42737 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in delBlacklist…
CVE-2024-42738 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setDmzCfg…
CVE-2024-42739 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in…
CVE-2024-57014 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "recHour" parameter in…
CVE-2024-57015 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "hour" parameter in…
CVE-2023-33485 — CVSS 8.8 (high): TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contains a post-authentication buffer overflow via parameter sPort/ePort…
CVE-2024-42741 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in…
CVE-2024-42742 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in…
CVE-2024-42743 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setSyslogCfg…
CVE-2024-42744 — CVSS 8.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in…
CVE-2025-70329 — CVSS 8.0 (high): TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd…
CVE-2024-32355 — CVSS 8.0 (high): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'password' parameter in the…
CVE-2024-42736 — CVSS 7.8 (high): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in addBlacklist…
CVE-2021-45734 — CVSS 7.5 (high): TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setUrlFilterRules. This vulnerability…
CVE-2021-45735 — CVSS 7.5 (high): TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP protocol for authentication into the admin interface, allowing…
CVE-2024-28640 — CVSS 7.5 (high): Buffer Overflow vulnerability in TOTOLink X5000R V9.1.0u.6118-B20201102 and A7000R V9.1.0u.6115-B20201022 allows a remote attacker to cause…
CVE-2021-45736 — CVSS 7.5 (high): TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setL2tpServerCfg. This vulnerability…
CVE-2024-25468 — CVSS 7.5 (high): An issue in TOTOLINK X5000R V.9.1.0u.6369_B20230113 allows a remote attacker to cause a denial of service via the host_time parameter of…
CVE-2025-67445 — CVSS 7.5 (high): TOTOLINK X5000R V9.1.0cu.2415_B20250515 contains a denial-of-service vulnerability in /cgi-bin/cstecgi.cgi. The CGI reads the…
CVE-2023-45985 — CVSS 7.5 (high): TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 were discovered to contain a stack overflow in the…
CVE-2021-45741 — CVSS 7.5 (high): TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a stack overflow in the function setIpv6Cfg. This vulnerability allows…
CVE-2024-42740 — CVSS 6.8 (medium): In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setLedCfg…
CVE-2024-57023 — CVSS 6.8 (medium): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "week" parameter in…
CVE-2024-57024 — CVSS 6.8 (medium): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "eMinute" parameter in…
CVE-2024-57025 — CVSS 6.8 (medium): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an OS command injection vulnerability via the "desc" parameter in…
CVE-2025-25604 — CVSS 6.5 (medium): Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the vif_disable function in mtkwifi.lua.
CVE-2025-25605 — CVSS 6.5 (medium): Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the apcli_wps_gen_pincode function in mtkwifi.lua.
CVE-2025-9934 — CVSS 6.3 (medium): A vulnerability was found in TOTOLINK X5000R 9.1.0cu.2415_B20250515. This affects the function sub_410C34 of the file /cgi-bin/cstecgi.cgi…
CVE-2025-14586 — CVSS 6.3 (medium): A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file…
CVE-2024-32349 — CVSS 6.0 (medium): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the…
CVE-2024-32354 — CVSS 6.0 (medium): TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection vulnerability via the 'timeout' parameter in the…
CVE-2023-6612 — CVSS 5.5 (medium): A vulnerability was found in Totolink X5000R 9.1.0cu.2300_B20230112. It has been rated as critical. This issue affects the function…