Description
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Published: 2026-03-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the setStaticRoute function of /cgi-bin/cstecgi.cgi on Totolink A3300R routers. An attacker can supply a crafted IP argument that is not properly sanitized, allowing the execution of arbitrary system commands. This vulnerability can compromise confidentiality, integrity, and availability of the device and the network it services.

Affected Systems

The vulnerability affects Totolink A3300R routers running firmware version 17.0.0cu.557_b20221024. The affected component is the cstecgi.cgi CGI script used for static route configuration.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity and the EPSS score of <1% suggests a relatively low probability of exploitation, yet publicly disclosed exploits exist, increasing the risk. The flaw is reachable from remote hosts and is not listed in CISA’s KEV catalog. The lack of an official patch means the vulnerability remains exploitable until a firmware update is applied.

Generated by OpenCVE AI on May 22, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware upgrade from Totolink that addresses the command injection issue.
  • Limit external access to the router’s management interface by using VLAN segregation or firewall rules.
  • Monitor device logs for suspicious CGIs or unexpected command execution patterns.

Generated by OpenCVE AI on May 22, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a3300r
Vendors & Products Totolink a3300r

Mon, 30 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Title Totolink A3300R cstecgi.cgi setStaticRoute command injection
First Time appeared Totolink
Totolink a3300r Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:totolink:a3300r_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-01T18:04:38.639Z

Reserved: 2026-03-29T17:50:53.126Z

Link: CVE-2026-5104

cve-icon Vulnrichment

Updated: 2026-04-01T18:04:32.416Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T03:15:58.187

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:30:38Z

Weaknesses