Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-60687

An unauthenticated command injection vulnerability exists in the ToToLink LR1200GB Router firmware V9.1.0u.6619_B20230130 within the cstecgi.cgi binary (sub_41EC68 function). The binary reads the "imei" parameter from a web request and verifies only that it is 15 characters long. The parameter is then directly inserted into a system command using sprintf() and executed with system(). Maliciously crafted IMEI input can execute arbitrary commands on the router without authentication.

Published

2025-11-13T16:15:52.720

Last Modified

2025-11-19T17:38:41.063

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-77

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	totolink	lr1200gb_firmware	9.1.0u.6619_b20230130	Yes
Hardware	totolink	lr1200gb	-	No

References

http://totolink.com Broken Link ([email protected])
https://github.com/yifan20020708/SGTaint-0-day/blob/main/ToToLink/ToToLink-LR1200GB/CVE-2025-60687.md Exploit, Third Party Advisory ([email protected])
https://www.totolink.net/ Product ([email protected])