VU#821724: TOTOLINK’s X5000R’s (AX1800 router) lacks authentication for telnet

Overview

An unauthenticated HTTP request can enable telnet which may lead to remote code execution with root-level privileges.

Description

TOTOLINK manufactures routers and other networking equipment designed for small businesses and home implementations. The AX1800 routers are popular with users connecting multiple internet-capable devices.

The TOTOLINK AX1800 routers are missing authentication in /cgi-bin/cstecgi.cgi?action=telnet endpoint may result in arbitrary command execution at the administrative level. This vulnerability is being tracked by CVE-2025-13184.

Impact

The impact options include full access to configuration and filesystems. This level of access would provide an attacker the capability to modify routing DNS routing, intercept traffic, and achieve lateral movement across the local area network. There is a potential for wide area (WAN) network access if router management or telnet becomes externally reachable.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. For complete remediation, a firmware update is necessary.

Mitigation Suggestions

1. Ensure the web management interface is not exposed to the WAN or any untrusted network. Restrict access to the administrative interface to trusted management hosts only.

2. Treat the X5000R router as untrusted from a security boundary point of view. Where possible, place it behind a separate firewall or router and avoid using it as the primary edge device.

3. Block or monitor unexpected traffic to telnet (TCP port 23) on the device. The sudden appearance of an open telnet service on the router is a strong indicator of exploitation.

Acknowledgements

Thanks to the reporter, HackingByDoing. This document was written by Laurie Tyzenhaus.

Vendor Information