Totolink X5000R is a router from China-based Jion Electronics (Totolink). a command injection vulnerability exists in Totolink X5000R v9.1.0u.6118_B20201102, which stems from a failure of the tz parameter in the setNtpCfg function to properly filter the special element of the constructed command. An attacker could exploit this vulnerability to execute arbitrary commands via crafted requests.