CVE-2025-70329
Published: 23 February 2026
Summary
CVE-2025-70329 is a high-severity OS Command Injection (CWE-78) vulnerability in Totolink X5000R Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 23.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation and filtering of user-supplied parameters like vlanVidLan1 before passing to CsteSystem, preventing OS command injection in the setIptvCfg handler.
Enforces restrictions on input types, formats, and volumes at system boundaries, blocking shell metacharacters in vlanVidLanX parameters destined for command execution.
Requires identification, reporting, and timely remediation of the specific command injection flaw in lighttpd's setIptvCfg handler via firmware updates or patches.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in Unix-based router firmware directly enables arbitrary shell command execution (T1059.004) as root from low-privileged auth context, mapping to exploitation for privilege escalation (T1068).
NVD Description
TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteSystem function without adequate validation or filtering. This allows…
more
an authenticated attacker to execute arbitrary shell commands with root privileges by injecting shell metacharacters into the affected parameters.
Deeper analysisAI
CVE-2025-70329 is an OS command injection vulnerability (CWE-78) in the TOTOLink X5000R router running firmware version v9.1.0cu_2415_B20250515. The issue affects the setIptvCfg handler in the /usr/sbin/lighttpd executable, where parameters such as vlanVidLan1 and other vlanVidLanX values are retrieved via Uci_Get_Str and passed to the CsteSystem function without adequate validation or filtering. Published on 2026-02-23, it has a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with low privileges on an adjacent network can exploit this vulnerability by injecting shell metacharacters into the affected vlanVidLanX parameters during requests to the setIptvCfg handler. Successful exploitation allows execution of arbitrary shell commands with root privileges, enabling full control over the device, including potential data exfiltration, modification of configurations, or further network pivoting.
Mitigation details are available in the referenced advisories: https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetIptvCfg/report.md and https://www.notion.so/TOTOLINK-X5000R-SetIptvCfg-2d170566ca7f8027ad47e6b5429025fc?source=copy_link.
Details
- CWE(s)