CVE-2025-60687

Published: Nov 13, 2025

Modified: Nov 13, 2025

PUBLISHED

Description

An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). The binary reads the "imei" parameter from a web request and verifies only that it is 15 characters long. The parameter is then directly inserted into a system command using sprintf() and executed with system(). Maliciously crafted IMEI input can execute arbitrary commands on the router without authentication.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://totolink.com

https://www.totolink.net/

https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60687.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-60687

Description

Affected Products

References