Totolink Cp900 Firmware vulnerabilities

13 known vulnerabilities affecting totolink/cp900_firmware.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH1MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2025-44836MEDIUMCVSS 6.3v6.3c.1144_b201907152025-05-01
CVE-2025-44836 [MEDIUM] CWE-77 CVE-2025-44836: TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setApRebootScheCfg function via the hour or minute parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2025-44837MEDIUMCVSS 6.3v6.3c.1144_b201907152025-05-01
CVE-2025-44837 [MEDIUM] CWE-77 CVE-2025-44837: TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the url or magicid parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2025-44854MEDIUMCVSS 6.3v6.3c.1144_b201907152025-05-01
CVE-2025-44854 [MEDIUM] CWE-77 CVE-2025-44854: TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the se TOTOLINK CP900 V6.3c.1144_B20190715 was found to contain a command injection vulnerability in the setUpgradeUboot function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2025-44838MEDIUMCVSS 6.3v6.3c.1144_b201907152025-05-01
CVE-2025-44838 [MEDIUM] CWE-77 CVE-2025-44838: TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability TOTOLINK CPE CP900 V6.3c.1144_B20190715 was discovered to contain a command injection vulnerability in the setUploadUserData function via the FileName parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2024-7463HIGHCVSS 8.7v6.3c.5662024-08-05
CVE-2024-7463 [HIGH] CWE-120 CVE-2024-7463: A vulnerability classified as critical was found in TOTOLINK CP900 6.3c.566. This vulnerability affe A vulnerability classified as critical was found in TOTOLINK CP900 6.3c.566. This vulnerability affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument File leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of thi
nvd
CVE-2024-7464MEDIUMCVSS 5.3v6.3c.5662024-08-05
CVE-2024-7464 [MEDIUM] CWE-77 CVE-2024-7464: A vulnerability, which was classified as critical, has been found in TOTOLINK CP900 6.3c.566. This i A vulnerability, which was classified as critical, has been found in TOTOLINK CP900 6.3c.566. This issue affects the function setTelnetCfg of the component Telnet Service. The manipulation of the argument telnet_enabled leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The id
nvd
CVE-2022-28495CRITICALCVSS 9.8v6.3c.566_b201710262023-03-24
CVE-2022-28495 [CRITICAL] CWE-78 CVE-2022-28495: TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerab TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setWebWlanIdx function via the webWlanIdx parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2022-28496CRITICALCVSS 9.8v6.3c.566_b201710262023-03-23
CVE-2022-28496 [CRITICAL] CWE-77 CVE-2022-28496: TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 discovered to contain a command injection vulnerabili TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 discovered to contain a command injection vulnerability in the setPasswordCfg function via the adminuser and adminpassparameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2022-28497CRITICALCVSS 9.8v6.3c.566_b201710262023-03-23
CVE-2022-28497 [CRITICAL] CWE-77 CVE-2022-28497: TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerab TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the mtd_write_bootloader function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2022-28492CRITICALCVSS 9.8v6.3c.5662023-03-23
CVE-2022-28492 [CRITICAL] CVE-2022-28492: TOTOLINK Technology CPE with firmware V6.3c.566 ,allows remote attackers to bypass Login. TOTOLINK Technology CPE with firmware V6.3c.566 ,allows remote attackers to bypass Login.
nvd
CVE-2022-28491CRITICALCVSS 9.8v6.3c.566_b201710262023-03-23
CVE-2022-28491 [CRITICAL] CWE-78 CVE-2022-28491: TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 contains a command injection vulnerability in the NTP TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 contains a command injection vulnerability in the NTPSyncWithHost function via the host_name parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2022-28494CRITICALCVSS 9.8v6.3c.566_b201710262023-03-23
CVE-2022-28494 [CRITICAL] CWE-78 CVE-2022-28494: TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerab TOTOLink outdoor CPE CP900 V6.3c.566_B20171026 is discovered to contain a command injection vulnerability in the setUpgradeFW function via the filename parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
nvd
CVE-2022-28493CRITICALCVSS 9.8v6.3c.5662023-03-23
CVE-2022-28493 [CRITICAL] CVE-2022-28493: A vulnerability in TOTOLINK CP900 V6.3c.566 allows attackers to start the Telnet service, A vulnerability in TOTOLINK CP900 V6.3c.566 allows attackers to start the Telnet service,
nvd