CVE-2025-60683 — MEDIUM (6.5)

Vulnerability Description

A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface reinitialization from '/var/system/linux_vlan_reinit'. Input is only partially validated by checking the prefix of interface names, and is concatenated into shell commands executed via system() without escaping. An attacker with write access to this file can execute arbitrary commands on the device.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Totolink	A720R Firmware	4.1.5cu.614_b20230630
Totolink	A720R	-

Related Weaknesses (CWE)

CWE-77

References

http://totolink.comBroken Link
https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720RExploitThird Party Advisory
https://www.totolink.net/Product

FAQ

What is CVE-2025-60683?

CVE-2025-60683 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the sysconf binary, specifically in the sub_40BFA4 function that handles network interface ...

How severe is CVE-2025-60683?

CVE-2025-60683 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-60683?

Check the references section above for vendor advisories and patch information. Affected products include: Totolink A720R Firmware, Totolink A720R.