Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Upgrade Firmware
AI Analysis

Impact

The flaw is a classic command injection in the ttlWay parameter of the Totolink A3300R firmware’s /cgi-bin/cstecgi.cgi endpoint. Attackers who can reach the device’s web interface may supply crafted input to ttlWay, causing the firmware to run arbitrary system commands with the privileges of the CGI process. While complete device compromise is not explicitly confirmed, the potential for arbitrary command execution implies that an attacker could take full control of the router.

Affected Systems

Totolink A3300R routers running firmware version 17.0.0cu.557_B20221024 are affected. No other versions are known to contain the vulnerable code.

Risk and Exploitability

The CVSS score of 6.5 signals a moderate to high severity. The EPSS score of less than 1 % indicates a very low but nonzero likelihood of exploitation according to current data. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that successful exploitation requires reaching the device’s web interface, either from the local network or from a publicly accessible LAN interface, and submitting a crafted ttlWay value. The description does not explicitly state whether authentication is required, so the risk involves the potential for unauthenticated or authenticated remote code execution, but this remains an inference.

Generated by OpenCVE AI on April 29, 2026 at 01:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a firmware version that removes the vulnerable uri or applies the vendor‑provided patch.
  • Restrict external access to the device’s web interface or specifically to the /cgi-bin/cstecgi.cgi endpoint by applying firewall rules or configuring the router to accept connections only from trusted internal IP ranges.
  • If the endpoint is not required for operational purposes, disable it or remove the cstecgi.cgi CGI script to eliminate the attack surface.

Generated by OpenCVE AI on April 29, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Totolink A3300R Firmware via ttlWay Parameter

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the ttlWay parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T19:03:15.466Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31162

cve-icon Vulnrichment

Updated: 2026-04-23T19:03:09.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:24.130

Modified: 2026-04-27T14:57:41.280

Link: CVE-2026-31162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses