Cyber Resilience

CVE-2025-70327

CriticalPublic PoCDDoS

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0069 48.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70327 is a critical-severity Argument Injection (CWE-88) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-70327 is an argument injection vulnerability affecting the TOTOLINK X5000R router running firmware version v9.1.0cu_2415_B20250515. The issue resides in the setDiagnosisCfg handler within the /usr/sbin/lighttpd executable, where the "ip" parameter is retrieved using websGetVar and passed directly to a ping command via CsteSystem without validation for inputs starting with a hyphen (-). This flaw corresponds to CWEs-88 (Improper Neutralization of Argument Delimiters in a Command) and CWE-400 (Uncontrolled Resource Consumption), earning a CVSS v3.1 base score of 9.8 (Critical: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability by supplying a malicious "ip" parameter that injects arbitrary command-line options into the ping utility. Although the description specifies remote authenticated attackers, the CVSS vector indicates no privileges (PR:N) are required. Successful exploitation enables denial-of-service (DoS) conditions through excessive resource consumption or prolonged execution of the ping command.

Advisories detailing the vulnerability, including potential mitigation steps, are available in the referenced reports at https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetDiagnosisCfg/report.md and https://www.notion.so/TOTOLINK-X5000R-SetDiagnosisCfg-2d170566ca7f8098a0bcee9f2a15d40d?source=copy_link. Security practitioners should consult these for vendor-specific patch information or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen…

more

(-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Public-facing router web interface vulnerable to unauthenticated argument injection (T1190), enabling DoS via ping resource exhaustion or abuse (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67445Same product: Totolink X5000R
CVE-2024-57016Same product: Totolink X5000R
CVE-2024-57013Same product: Totolink X5000R
CVE-2024-57012Same product: Totolink X5000R
CVE-2024-57017Same product: Totolink X5000R
CVE-2024-57022Same product: Totolink X5000R
CVE-2025-13184Same product: Totolink X5000R
CVE-2024-57018Same product: Totolink X5000R
CVE-2024-57014Same product: Totolink X5000R
CVE-2024-57021Same product: Totolink X5000R

Affected Assets

totolink
x5000r firmware
9.1.0cu.2415_b20250515

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of the 'ip' parameter to neutralize argument injection into the ping command executed via CsteSystem.

prevent

Requires timely flaw remediation to patch the argument injection vulnerability in the setDiagnosisCfg handler.

prevent

Mitigates the DoS impact from excessive resource consumption or prolonged ping execution caused by injected options.

References