CVE-2025-11005 CRITICAL

CVE-2025-11005: TOTOLINK X6000R Unauthenticated Command Injection Vulnerability

Vendor Totolink

Product X6000R

Weakness CWE-78

Published September 25, 2025

Last update September 26, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1458_B20250708.

Key dates

02Disclosure timeline

September 25, 2025 CVE published

September 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-11005

Related vulnerabilities

04Related CVE

CVE-2022-50994 DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi CVE-2023-6309 moses-smt mosesdecoder trans_result.php os command injection CVE-2022-43973 Arbitrary code execution in Linksys WRT54GL CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation CVE-2025-15060 claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability