Impact
The flaw lies in the recvUpgradeNewFw function of the cstecgi.cgi script on Totolink WA300 routers, allowing the injection of arbitrary operating‑system commands. This results in full remote code execution, giving an attacker the ability to execute any command within the firmware’s environment. The weakness corresponds to classic OS command injection, identified as CWE‑77 and CWE‑78. The impact is loss of confidentiality, integrity, and availability of the device and its hosted network services.
Affected Systems
Affected devices are Totolink WA300 routers running firmware version 5.2cu.7112_B20190227. The vulnerability is confined to this specific firmware build and the cstecgi.cgi module; newer firmware revisions are not reported to contain the issue.
Risk and Exploitability
The CVSS score of 6.9 indicates medium severity, while the EPSS score of 2% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. Attackers can target the device over the network by sending crafted CGI requests to /cgi-bin/cstecgi.cgi; it is inferred that authentication is not required for the attack to succeed, making it an unauthenticated remote vulnerability.
OpenCVE Enrichment