By Vincent Li | April 21, 2025
Affected Platforms: TOTOLINK N600R V4.3.0cu.7570_B20200620. TOTOLINK A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, and A810R V4.1.2cu.5182_B20201026. DrayTek Vigor2960 and Vigor300B 1.5.1.4
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Unlike previous malware targeting these devices, this variant is written in Rust—a programming language introduced by Mozilla in 2010. Due to its Rust-based implementation, we’ve named the malware “RustoBot.”
Incidents
In January and February of 2025, FortiGuard Labs observed a significant increase in alerts related to attacking via TOTOLINK vulnerabilities.
Figure 1: IPS Telemetry
TOTOLINK vulnerabilities often stem from the cstecgi.cgi file—a CGI script responsible for processing user inputs, configuration changes, authentication, and administrative commands. These scripts have repeatedly been found to contain flaws, most notably command injection vulnerabilities that can be exploited remotely. Attackers can leverage various functions within this script to achieve remote code execution, including setUpgradeFW (CVE-2022-26210) and pingCheck (CVE-2022-26187).
Figure 2: TOTOLINK devices command injection vulnerability's payload
When we analyzed the payload at hxxp://66[.]63[.]187[.]69/mpsl, we identified another vulnerability—CVE-2024-12987—affecting DrayTek devices, which was exploited by attackers during the same period. This vulnerability is an OS command injection located in the cgi-bin/mainfunction.cgi/apmcfgupload interface.
Figure 3: DrayTek command injection vulnerability's payload
These exploits occurred in four countries: Japan, Taiwan, Vietnam, and Mexico. All incidents were aimed at technology industries.
