Totolink X18 Firmware vulnerabilities

CVE-2025-61045 [CRITICAL] CWE-77 CVE-2025-61045: TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via the mac parameter in the setEasyMeshAgentCfg function.

CVE-2025-61044 [CRITICAL] CWE-77 CVE-2025-61044: TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2053_B20230309 was discovered to contain a command injection vulnerability via the agentName parameter in the setEasyMeshAgentCfg function.

CVE-2025-29209 [CRITICAL] CWE-77 CVE-2025-29209: TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable p TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.

CVE-2025-29064 [CRITICAL] CWE-94 CVE-2025-29064: An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.

CVE-2025-1829 [MEDIUM] CWE-77 CVE-2025-1829: A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been declared as critical. A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been declared as critical. This vulnerability affects the function setMtknatCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument mtkhnatEnable leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may

CVE-2025-1340 [HIGH] CWE-119 CVE-2025-1340: A vulnerability classified as critical has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affect A vulnerability classified as critical has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi. The manipulation as part of String leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The ve

CVE-2025-1339 [MEDIUM] CWE-77 CVE-2025-1339: A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been rated as critical. Thi A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been rated as critical. This issue affects the function setL2tpdConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The v

CVE-2024-10966 [MEDIUM] CWE-77 CVE-2024-10966: A vulnerability, which was classified as critical, has been found in TOTOLINK X18 9.1.0cu.2024_B2022 A vulnerability, which was classified as critical, has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and ma

CVE-2023-29800 [CRITICAL] CWE-77 CVE-2023-29800: TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.

CVE-2023-29803 [CRITICAL] CWE-77 CVE-2023-29803: TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the pid parameter in the disconnectVPN function.

CVE-2023-29799 [CRITICAL] CWE-77 CVE-2023-29799: TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the hostname parameter in the setOpModeCfg function.

CVE-2023-29801 [CRITICAL] CWE-77 CVE-2023-29801: TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabil TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabilities via the rtLogEnabled and rtLogServer parameters in the setSyslogCfg function.

CVE-2023-29798 [CRITICAL] CWE-77 CVE-2023-29798: TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.

CVE-2023-29802 [CRITICAL] CWE-77 CVE-2023-29802: TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the ip parameter in the setDiagnosisCfg function.