ADVISORIES | April 23, 2018

HooToo Security Advisory

By Tao Sauvage

HT-TM05 is vulnerable to unauthenticated remote code execution in the /sysfirm.csp CGI endpoint, which allows an attacker to upload an arbitrary shell script that will be executed with root privileges on the device.

Launch PDF

penetration testing

©2025 IOActive Inc. All Rights Reserved. This website, including all material, images, and data contained herein, are protected by copyright. All rights are reserved. Content may not be used, copied, reproduced, transmitted, or otherwise exploited in any manner, including without limitation, to train generative artificial intelligence (AI) technologies, without IOActive’s prior written consent. Without limiting IOActive’s exclusive rights under copyright laws, IOActive reserves all rights to license uses of this work for generative AI training and development of machine learning language models.