CyberSec.Space Logo
Back to CVE Browser

CVE-2021-27710

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1230%
EPSS Percentile10.43th
PublishedApr 14, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system function with untrusted input. In the function, "ip" parameter is directly passed to the attacker, allowing them to control the "ip" field to attack the OS.

Affected Platforms (CPE)

πŸ’»
Totolink

X5000r Firmware

= 9.1.0u.6118_b20201102
πŸ’»
Totolink

A720r Firmware

= 4.1.5cu.470_b20200911

References & Advisories

πŸ”— https://hackmd.io/Hy3oVgtcQiuqAtv9FdylHw
πŸ”— https://hackmd.io/KjXzQdjDRjOuRjoZZXQo_A
πŸ”— https://hackmd.io/Hy3oVgtcQiuqAtv9FdylHw
πŸ”— https://hackmd.io/KjXzQdjDRjOuRjoZZXQo_A

Related Vulnerabilities

CVE-2021-277089.8

Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu...

CVE-2026-53430

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-grpc grpc (GRPC.Compressor.Gzip, GRPC.Mes...

CVE-2026-48854

Allocation of Resources Without Limits or Throttling vulnerability in elixir-grpc grpc allows unauthenticated attackers to exhaust...

CVE-2026-48853

Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc all...