Totolink X18 Firmware
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Totolink X18 Firmware.
By the Year
In 2026 there have been 0 vulnerabilities in Totolink X18 Firmware. Last year, in 2025 X18 Firmware had 5 security vulnerabilities published. Right now, X18 Firmware is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 5 | 8.80 |
| 2024 | 1 | 8.80 |
| 2023 | 5 | 9.80 |
It may take a day or so for new X18 Firmware vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Totolink X18 Firmware Security Vulnerabilities
Arbitrary cmd exec via enable param in TOTOLINK X18 v9.1.0cu.2024_B20220329
CVE-2025-29209
- April 18, 2025
TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.
TOTOLINK x18 v9.1.0cu.2024_B20220329 RCE via cstecgi.cgi
CVE-2025-29064
- April 03, 2025
An issue in TOTOLINK x18 v.9.1.0cu.2024_B20220329 allows a remote attacker to execute arbitrary code via the sub_410E54 function of the cstecgi.cgi.
TOTOLINK X18: Remote OS Command Injection in cstecgi.cgi (v9.1.0cu.2024)
CVE-2025-1829
8.8 - High
- March 02, 2025
A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been declared as critical. This vulnerability affects the function setMtknatCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument mtkhnatEnable leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Shell injection
TOTOLINK X18 9.1.0cu.2024_B20220329 Stack-Based Buffer Overflow in setPasswordCfg
CVE-2025-1340
8.8 - High
- February 16, 2025
A vulnerability classified as critical has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi. The manipulation as part of String leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Memory Corruption
Critical CMD Inject in TOTOLINK X18 L2TP Config (9.1.0cu.2024)
CVE-2025-1339
8.8 - High
- February 16, 2025
A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been rated as critical. This issue affects the function setL2tpdConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Shell injection
TOTOLINK X18 OS Command Injection via cstecgi.cgi - November 2024
CVE-2024-10966
8.8 - High
- November 07, 2024
A vulnerability, which was classified as critical, has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected by this issue is some unknown functionality of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Shell injection
Command Injection via pid in disconnectVPN TOTOLINK X18 V9.1.0cu.2024_B20220329
CVE-2023-29803
9.8 - Critical
- April 14, 2023
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the pid parameter in the disconnectVPN function.
Command Injection
Command Injection in TOTOLINK X18 9.1.0 via setDiagnosisCfg ip param
CVE-2023-29802
9.8 - Critical
- April 14, 2023
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the ip parameter in the setDiagnosisCfg function.
Command Injection
Command Injection via syslog cfg in TOTOLINK X18 9.1.0
CVE-2023-29801
9.8 - Critical
- April 14, 2023
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain multiple command injection vulnerabilities via the rtLogEnabled and rtLogServer parameters in the setSyslogCfg function.
Command Injection
Command Injection via UploadFirmwareFile in TOTOLINK X18 v9.1.0cu.2024_B20220329
CVE-2023-29800
9.8 - Critical
- April 14, 2023
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the FileName parameter in the UploadFirmwareFile function.
Command Injection
Command Injection in setTracerouteCfg on TOTOLINK X18 v9.1.0cu
CVE-2023-29798
9.8 - Critical
- April 14, 2023
TOTOLINK X18 V9.1.0cu.2024_B20220329 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.
Command Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Totolink X18 Firmware or by Totolink? Click the Watch button to subscribe.
