Description
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: 2.2% Low
KEV: No
Impact: Remote Command Execution via CGI Command Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows an attacker to inject arbitrary shell commands through the setSyslogCfg function in the /cgi-bin/cstecgi.cgi script. Because the command is executed with the router’s system privileges, successful exploitation can lead to full remote code execution, enabling an attacker to modify settings, retrieve configuration, or further compromise the device. The vulnerability arises from insufficient input validation and originates in the command injection weakness described by CWE-74 and the improper handling of system commands, CWE-77.

Affected Systems

This vulnerability is specific to the Totolink A3300R router, particularly those running firmware version 17.0.0cu.557_b20221024. Earlier firmware releases that contain the same implementation of setSyslogCfg are also potentially affected. The CPE identifiers for the affected product include cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024, which represents the vulnerable firmware configuration.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of 5% suggests a relatively low probability of exploitation in the wild. However, the flaw can be triggered remotely without authentication, as the attack vector relies on making HTTP requests to the vulnerable CGI endpoint. Because the exploit code has been publicly released, the risk to devices exposed to the internet or accessible to hostile local actors is significant. The vulnerability is not listed in the CISA KEV catalog, but its nature of unvalidated command injection makes it a typical example of the CWE vulnerabilities listed.

Generated by OpenCVE AI on April 6, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to a firmware version that fixes the setSyslogCfg command injection.
  • Disable remote Web management or restrict it to trusted IP ranges via the router’s configuration or an external firewall.
  • If a firmware update is not yet available, block HTTP access to /cgi-bin/cstecgi.cgi through the router’s firewall or a network perimeter device.
  • Monitor system logs for suspicious activity and consider implementing intrusion detection specific to command injection attempts.

Generated by OpenCVE AI on April 6, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a3300r
Vendors & Products Totolink a3300r

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title Totolink A3300R cstecgi.cgi setSyslogCfg command injection
First Time appeared Totolink
Totolink a3300r Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:totolink:a3300r_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r Firmware
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-31T15:33:16.783Z

Reserved: 2026-03-30T18:53:39.769Z

Link: CVE-2026-5176

cve-icon Vulnrichment

Updated: 2026-03-31T15:33:13.238Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T02:15:59.803

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:17Z

Weaknesses