Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution via Command Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary system commands through the informEnable parameter in the /cgi-bin/cstecgi.cgi interface. This is a classic command injection flaw (CWE‑77) that can give an attacker full control over the affected device. The impact is serious in that an attacker can read, modify, or delete configuration data, install additional software, or use the device as a pivot for further attacks in the network. No information is provided about the need for authentication, so it is unlikely to be limited to privileged users.

Affected Systems

Totolink A3300R routers running firmware version 17.0.0cu.557_B20221024 are affected. The vulnerability is tied to the cgi-bin interface and the informEnable parameter within that firmware.

Risk and Exploitability

The CVSS score of 6.5 indicates the flaw is moderate, and the EPSS score of less than 1% suggests the likelihood of real-world exploitation is low at present. The vulnerability has not been listed in the CISA KEV catalog, which further reduces the current threat posture. The likely attack vector is through a remote HTTP or HTTPS request sent to /cgi-bin/cstecgi.cgi with a crafted informEnable value. An attacker with network access to the device or an exposed management interface would be able to exploit this flaw.

Generated by OpenCVE AI on April 28, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that removes or hardens the /cgi-bin/cstecgi.cgi interface.
  • Limit management access to the device by restricting the management port to trusted internal networks or VPNs.
  • Implement input validation or a Web Application Firewall rule that blocks or sanitizes the informEnable parameter to prevent arbitrary command injection.

Generated by OpenCVE AI on April 28, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection via informEnable in Totolink A3300R Firmware

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:45:55.667Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31174

cve-icon Vulnrichment

Updated: 2026-04-23T18:45:50.702Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:24.677

Modified: 2026-04-24T15:12:34.600

Link: CVE-2026-31174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses