Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution via HTTP CGI
Action: Apply Patch
AI Analysis

Impact

An injection flaw exists in the ToToLink A3300R firmware allowing an attacker to supply arbitrary shell commands through the *user* parameter of the /cgi-bin/cstecgi.cgi endpoint. This vulnerability, classified as CWE‑77, can lead to remote command execution, compromising the confidentiality, integrity, and availability of the device. The description does not explicitly state the attack vector, but it is inferred that an attacker can exploit this by sending a crafted HTTP request containing the malicious *user* value to the CGI script.

Affected Systems

The affected device is the ToToLink A3300R router running firmware version 17.0.0cu.557_B20221024. The corresponding CPEs reference this exact model and firmware build. Any identical or newer builds not yet updated may also be at risk until a release that addresses the vulnerability is applied.

Risk and Exploitability

The CVSS base score of 6.5 reflects a medium severity. The EPSS score is reported as less than 1 %, indicating a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the information provided, the likely attack vector involves sending a crafted HTTP request to the vulnerable CGI endpoint over the network, requiring no special privileges or physical access. Therefore, the primary risk is remote code execution from an external origin.

Generated by OpenCVE AI on April 28, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy verified firmware updates that fix the command injection flaw.
  • Restrict or filter network traffic to the /cgi-bin/cstecgi.cgi endpoint, blocking requests from untrusted networks.
  • Place the router behind a firewall or interface segmentation to limit direct exposure to the internal network.

Generated by OpenCVE AI on April 28, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection in ToToLink A3300R Firmware Enabling Remote Command Execution

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the user parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:44:56.511Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31172

cve-icon Vulnrichment

Updated: 2026-04-23T18:44:51.991Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:24.587

Modified: 2026-04-24T15:12:42.550

Link: CVE-2026-31172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses