Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw allows an attacker to inject and execute arbitrary operating‑system commands through the provider parameter of /cgi-bin/cstecgi.cgi on the ToToLink A3300R router. This is a classic command‑injection vulnerability (CWE‑77) that can lead to full device compromise, data exfiltration, or takeover of the network segment in which the device resides. The impact is a loss of confidentiality, integrity and availability for the affected system and any networks it connects to.

Affected Systems

ToToLink A3300R routers running firmware version 17.0.0cu.557_B20221024 are affected. The issue is tied to the /cgi-bin/cstecgi.cgi component exposed by the firmware. Any device that incorporates this firmware revision is vulnerable and must be examined for exploitation potential.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of < 1 % shows a very low current probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, because the flaw permits remote command execution, the potential impact remains high. The attack vector is likely network‑based, requiring access to the router’s control interface and the ability to supply a crafted provider parameter value.

Generated by OpenCVE AI on April 28, 2026 at 07:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ToToLink A3300R firmware to a version that resolves the provider command injection flaw.
  • If a firmware update is not immediately available, restrict access to /cgi-bin/cstecgi.cgi to trusted IP addresses using firewall or ACL rules.
  • Disable or remove the provider functionality via the device’s configuration interface until a patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 07:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Command Injection via /cgi-bin/cstecgi.cgi on ToToLink A3300R

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the provider parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:35:01.844Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31160

cve-icon Vulnrichment

Updated: 2026-04-23T18:30:39.759Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:24.210

Modified: 2026-04-24T15:13:17.750

Link: CVE-2026-31160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses