Totolink A6000R Firmware vulnerabilities

CVE-2025-3249 [MEDIUM] CWE-74 CVE-2025-3249: A vulnerability classified as critical was found in TOTOLINK A6000R 1.0.1-B20201211.2000. Affected b A vulnerability classified as critical was found in TOTOLINK A6000R 1.0.1-B20201211.2000. Affected by this vulnerability is the function apcli_cancel_wps of the file /usr/lib/lua/luci/controller/mtkwifi.lua. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2024-57211 [HIGH] CWE-77 CVE-2024-57211: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the modifyOne parameter in the enable_wsh function.

CVE-2024-57212 [MEDIUM] CWE-77 CVE-2024-57212: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the opmode parameter in the action_reboot function.

CVE-2024-57214 [MEDIUM] CWE-77 CVE-2024-57214: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the devname parameter in the reset_wifi function.

CVE-2024-57213 [MEDIUM] CWE-77 CVE-2024-57213: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the newpasswd parameter in the action_passwd function.

CVE-2024-41319 [CRITICAL] CWE-77 CVE-2024-41319: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function.

CVE-2024-41318 [CRITICAL] CWE-77 CVE-2024-41318: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function.

CVE-2024-41316 [CRITICAL] CWE-77 CVE-2024-41316: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_cancel_wps function.

CVE-2024-41320 [HIGH] CWE-77 CVE-2024-41320: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the ifname parameter in the get_apcli_conn_info function.

CVE-2024-41317 [HIGH] CWE-78 CVE-2024-41317: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pbc_wps function.

CVE-2024-41315 [MEDIUM] CWE-78 CVE-2024-41315: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_do_enr_pin_wps function.

CVE-2024-41314 [MEDIUM] CWE-78 CVE-2024-41314: TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability vi TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the iface parameter in the vif_disable function.

CVE-2024-37626 [HIGH] CWE-78 CVE-2024-37626: A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker to execute arbitrary code via the iface parameter in the vif_enable function.