Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Apply Patch
AI Analysis

Impact

An attacker can supply a malicious value for the hour parameter in the /cgi-bin/cstecgi.cgi CGI endpoint on the Totolink A3300R router. The firmware v17.0.0cu.557_B20221024 fails to sanitise this input, so a crafted command is passed to the underlying shell, giving the attacker the ability to execute arbitrary commands on the device. This is a classic command injection flaw (CWE‑77) that can compromise the confidentiality, integrity or availability of the router and any devices on its network.

Affected Systems

The affected system is the Totolink A3300R consumer router, running firmware 17.0.0cu.557_B20221024. The vulnerability is exposed through the web interface or the HTTP/HTTPS services that host the /cgi-bin/cstecgi.cgi script. Only this firmware version is currently listed as vulnerable; earlier or later builds may be unaffected.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is below 1 %, meaning that public exploitation is unlikely at present, and the vulnerability is not included in the CISA KEV catalog. Nevertheless, any attacker who can reach the affected router over the network – whether internally or from the internet – could exploit the flaw without authentication, potentially leading to full control of the device. The attack vector is inferred to be remote via the HTTP service, but the vulnerability would be easier to exploit if the router is exposed to untrusted networks.

Generated by OpenCVE AI on April 28, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version where the /cgi-bin/cstecgi.cgi CGI no longer accepts the hour parameter unauthenticated or properly sanitises it.
  • Restrict access to the router’s management interface, e.g., configure the firewall to permit the /cgi-bin/cstecgi.cgi service only from trusted IP addresses or VPN connections.
  • Disable or remove the /cgi-bin/cstecgi.cgi functionality if it is not required, and monitor the device for unexpected reboot or command execution patterns.

Generated by OpenCVE AI on April 28, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Hour Parameter in Totolink A3300R Firmware

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the hour parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T19:05:04.109Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31166

cve-icon Vulnrichment

Updated: 2026-04-23T19:05:00.153Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:24.733

Modified: 2026-04-27T14:56:56.783

Link: CVE-2026-31166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses