Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Apply Firmware
AI Analysis

Impact

A command injection flaw was found in the Totolink A3300R router’s web interface where an attacker can supply arbitrary commands in the interval parameter of the /cgi-bin/cstecgi.cgi endpoint. The flaw permits execution of any operating‑system command on the device, potentially giving an attacker full control over the router. The weakness is categorized as command injection (CWE-77).

Affected Systems

All Totolink A3300R routers running firmware version 17.0.0cu.557_B20221024 are affected. Users of other firmware releases or hardware variants are not listed as vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate severity, and an EPSS score of less than 1%, suggesting low current exploitation probability. It is not listed in CISA’s KEV catalog. Exploitation would likely involve crafting a malicious HTTP request to /cgi-bin/cstecgi.cgi with a manipulated interval value, sending it over the network to the exposed web interface. The description does not state whether authentication is required, so it is inferred that remote unauthenticated access could be sufficient, although that may depend on additional device settings.

Generated by OpenCVE AI on April 28, 2026 at 07:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to a version that fixes the command injection in /cgi-bin/cstecgi.cgi.
  • If a newer firmware release is not available, restrict external access to the web interface using firewall rules or VLAN segmentation so that only trusted administrators can reach it.
  • Disable or block the /cgi-bin/cstecgi.cgi endpoint if the device configuration allows, or prevent omission of parameters such as interval via input validation or parameter whitelisting.
  • Monitor web access logs for suspicious requests to cstecgi.cgi and investigate any anomalous activity.

Generated by OpenCVE AI on April 28, 2026 at 07:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Interval Parameter in Totolink A3300R Firmware

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the interval parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:54:51.167Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31173

cve-icon Vulnrichment

Updated: 2026-04-23T18:54:46.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:25.603

Modified: 2026-04-27T14:54:54.583

Link: CVE-2026-31173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses