CVE-2026-5101 - Vulnerability Details

- Totolink A3300R Parameter cstecgi.cgi setLanCfg command injection

Description

A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

Published: 2026-03-29

Score: 5.3 Medium

EPSS: 3.6% Low

KEV: No

Impact:

Action:

Analysis

Impact

The setLanCfg function of /cgi-bin/cstecgi.cgi in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows an attacker to inject arbitrary shell commands via the lanIp parameter, leading to remote command execution. This flaw falls under command injection weaknesses (CWE‑74, CWE‑77, CWE‑78) and enables the attacker to run arbitrary code on the device.

Affected Systems

Devices running the specified firmware version on the Totolink A3300R router are affected; the vulnerable component is the Parameter Handler accessed through the /cgi-bin/cstecgi.cgi endpoint.

Risk and Exploitability

The CVSS base score of 5.3 denotes moderate severity and the EPSS of 3 % indicates a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread proof‑of‑concept exploits are in circulation. Attackers can send a crafted HTTP request containing a tampered lanIp value directly to the router; the description does not detail authentication requirements, implying that a reachable router can be compromised without valid credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Totolink

A3300R

affected

Version	Status	Constraints
`17.0.0cu.557_b20221024`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Totolink

A3300r

100%

Version	Status	Scheme	Platform
`17.0.0cu.557_b20221024`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest firmware from the Totolink website that addresses the command‑injection problem as soon as it becomes available.
If no patch is available, restrict remote access to the /cgi-bin/cstecgi.cgi endpoint using firewall or ACL rules.
Disable remote management or web‑based configuration interfaces that expose the vulnerable endpoint until a patch is applied.
Monitor device logs for abnormal uses of the lanIp parameter or unexpected command execution attempts.

Generated by OpenCVE AI on March 30, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.03624.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Litengzheng/vul_db/blob/main/A3300R/vul_39/README.md
https://vuldb.com/submit/779128
https://vuldb.com/vuln/354126
https://vuldb.com/vuln/354126/cti
https://www.totolink.net/

History

Mon, 30 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-78
CPEs		cpe:2.3:h:totolink:a3300r:-:::::::* cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:::::::*

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 08:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink a3300r
Vendors & Products		Totolink a3300r

Mon, 30 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Title		Totolink A3300R Parameter cstecgi.cgi setLanCfg command injection
First Time appeared		Totolink Totolink a3300r Firmware
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:o:totolink:a3300r_firmware::::::::
Vendors & Products		Totolink Totolink a3300r Firmware
References		https://github.com/Litengzheng/vul_db/blob/main/A3300R/vul_39/README.md https://vuldb.com/submit/779128 https://vuldb.com/vuln/354126 https://vuldb.com/vuln/354126/cti https://www.totolink.net/
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Totolink A3300r A3300r Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-29T23:00:15.592Z

Updated: 2026-03-30T14:52:01.775Z

Reserved: 2026-03-29T17:50:43.221Z

Link: CVE-2026-5101

Vulnrichment

Updated: 2026-03-30T13:13:58.210Z

NVD

Status : Analyzed

Published: 2026-03-29T23:16:48.597

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5101

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:56:37Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object