TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen (-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.
CVE-2025-70327
NONE
EPSS 2.53%
Updated Feb 24, 2026
TOTOLINK
CVE Details
CVE ID
CVE-2025-70327
Published Date
Feb 23, 2026
Vendor
TOTOLINK
Severity
NONE
Exploit Prediction (EPSS)
Probability of Exploit
2.53%
Likelihood of exploitation in next 30 days
Percentile:
85.5th percentile (higher than 85.5% of all CVEs)
Standard patching cycle
Impact
Minimal impact
Source
View Advisory