CVE-2025-60682 — MEDIUM (6.5)

Vulnerability Description

A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud update parameters. User-supplied 'magicid' and 'url' values are directly concatenated into shell commands and executed via system() without any sanitization or escaping. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Totolink	A720R Firmware	4.1.5cu.614_b20230630
Totolink	A720R	-

Related Weaknesses (CWE)

CWE-77

References

http://totolink.comBroken Link
https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720RExploitThird Party Advisory
https://www.totolink.net/Product

FAQ

What is CVE-2025-60682?

CVE-2025-60682 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud up...

How severe is CVE-2025-60682?

CVE-2025-60682 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-60682?

Check the references section above for vendor advisories and patch information. Affected products include: Totolink A720R Firmware, Totolink A720R.