Vulnerability Details CVE-2025-60687
An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). The binary reads the "imei" parameter from a web request and verifies only that it is 15 characters long. The parameter is then directly inserted into a system command using sprintf() and executed with system(). Maliciously crafted IMEI input can execute arbitrary commands on the router without authentication.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.024
EPSS Ranking 83.8%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2025-60687
-
cpe:2.3:h:totolink:lr1200gb:-
-
cpe:2.3:o:totolink:lr1200gb_firmware:9.1.0u.6619_b20230130