Description
A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Published: 2026-03-20
Score: 6.9 Medium
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the recvUpgradeNewFw function of the cstecgi.cgi script on Totolink WA300 routers, allowing the injection of arbitrary operating‑system commands. This results in full remote code execution, giving an attacker the ability to execute any command within the firmware’s environment. The weakness corresponds to classic OS command injection, identified as CWE‑77 and CWE‑78. The impact is loss of confidentiality, integrity, and availability of the device and its hosted network services.

Affected Systems

Affected devices are Totolink WA300 routers running firmware version 5.2cu.7112_B20190227. The vulnerability is confined to this specific firmware build and the cstecgi.cgi module; newer firmware revisions are not reported to contain the issue.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, while the EPSS score of 2% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. Attackers can target the device over the network by sending crafted CGI requests to /cgi-bin/cstecgi.cgi; it is inferred that authentication is not required for the attack to succeed, making it an unauthenticated remote vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 10:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade firmware to the latest Totolink WA300 release that addresses the recvUpgradeNewFw command injection issue.
  • If a firmware update is not immediately possible, restrict external access to /cgi-bin/cstecgi.cgi using firewall rules or router ACLs, limiting access to trusted internal hosts.
  • As a temporary measure, disable the cstecgi.cgi CGI module through the router’s configuration interface or by configuring the script to return a 403 response to unauthenticated requests, thereby preventing command injection.

Generated by OpenCVE AI on June 18, 2026 at 10:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:totolink:wa300:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:wa300_firmware:5.2cu.7112_b20190227:*:*:*:*:*:*:*

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink wa300
Vendors & Products Totolink wa300

Fri, 20 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection
First Time appeared Totolink
Totolink wa300 Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:wa300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink wa300 Firmware
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Totolink Wa300 Wa300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-20T21:23:40.061Z

Reserved: 2026-03-20T09:21:26.000Z

Link: CVE-2026-4497

cve-icon Vulnrichment

Updated: 2026-03-20T21:23:34.156Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T19:16:20.533

Modified: 2026-06-17T10:56:42.343

Link: CVE-2026-4497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:15:03Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')