FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Unlike previous malware targeting these devices, this variant is written in Rust, a programming language introduced by Mozilla in 2010. Due to its Rust-based implementation, analysts have named the malware “RustoBot.”
Incidents - In January and February of 2025, FortiGuard Labs observed a significant increase in alerts related to attacking via TOTOLINK vulnerabilities.
TOTOLINK vulnerabilities often stem from the cstecgi.cgi file—a CGI script responsible for processing user inputs, configuration changes, authentication, and administrative commands. These scripts have repeatedly been found to contain flaws, most notably command injection vulnerabilities that can be exploited remotely. Attackers can leverage various functions within this script to achieve remote code execution, including setUpgradeFW (CVE-2022-26210) and pingCheck (CVE-2022-26187).
Link to full report: IR-25-112-001_RustoBot.pdf
Comments