Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Arbitrary Command Execution
Action: Upgrade Firmware
AI Analysis

Impact

An injection flaw in ToToLink A3300R firmware allows an attacker to send arbitrary command strings via the "mode" parameter of the "/cgi-bin/cstecgi.cgi" endpoint. The flaw is a classic command injection (CWE-77) that can lead to full remote code execution on the device. Successful exploitation could compromise network integrity, leak sensitive data, or enable persistence on the affected unit.

Affected Systems

The vulnerability affects ToToLink A3300R routers running firmware version 17.0.0cu.557_B20221024. No other vendors or product versions are listed as impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests low but non-zero likelihood of exploitation. The vulnerability is not present in CISA’s KEV catalog, implying no confirmed widespread exploitation yet. Attackers would need network reach to the router’s web interface and craft a malicious "mode" query string to trigger code execution.

Generated by OpenCVE AI on April 28, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ToToLink A3300R to a firmware version that includes the command injection fix.
  • If an upgrade cannot be performed immediately, block remote access to the /cgi-bin/cstecgi.cgi endpoint by configuring firewall rules or disabling external web management.
  • Enable logging and alerting for unexpected requests to /cgi-bin/cstecgi.cgi to detect attempted exploitation.

Generated by OpenCVE AI on April 28, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Command Injection via mode Parameter in ToToLink A3300R Firmware

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the mode parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:58:04.830Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31167

cve-icon Vulnrichment

Updated: 2026-04-23T18:58:00.339Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:24.830

Modified: 2026-04-27T14:56:31.580

Link: CVE-2026-31167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses