TOTOLink T6 is a wireless dual-band router from TotoLink, China.A command injection vulnerability exists in the meshSlaveDlfw function of TOTOLink T6. An attacker can exploit this vulnerability to execute arbitrary commands via specially crafted MQTT packets.