Description
A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used.
Published: 2026-05-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A file inclusion vulnerability exists in the setUploadSetting function in /cgi-bin/cstecgi.cgi of Totolink N300RH firmware 6.1c.1353_B20190305. The unvalidated FileName argument allows an attacker to include arbitrary local or remote files, potentially executing code or disclosing sensitive content. The flaw is classified as CWE‑73. It can be exploited from outside the device without prior authentication.

Affected Systems

The vulnerable product is Totolink N300RH. Firmware version 6.1c.1353_B20190305 carries the flaw. Earlier firmware builds that use the same cgi script may also be impacted. The issue is specific to the Totolink N300RH model and its management interface.

Risk and Exploitability

The CVSS score is 6.9, indicating medium severity. EPSS is not available, but publicly available exploit code in the wild raises the likelihood of exploitation. KEV does not list this vulnerability. The flaw can be triggered remotely via HTTP requests targeting /cgi-bin/cstecgi.cgi, potentially leading to code execution or information disclosure.

Generated by OpenCVE AI on May 2, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to the latest Totolink N300RH firmware that addresses the setUploadSetting vulnerability.
  • If an upgrade is not immediately possible, restrict external access to /cgi-bin/cstecgi.cgi using firewall rules or access control lists, allowing only trusted internal networks.
  • Disable or remove the setUploadSetting functionality or the cgi script entirely if it is not required for network operation.

Generated by OpenCVE AI on May 2, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink n300rh
Vendors & Products Totolink n300rh

Sat, 02 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used.
Title Totolink N300RH cstecgi.cgi setUploadSetting file inclusion
First Time appeared Totolink
Totolink n300rh Firmware
Weaknesses CWE-73
CPEs cpe:2.3:o:totolink:n300rh_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink n300rh Firmware
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink N300rh N300rh Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T14:00:15.320Z

Reserved: 2026-05-01T14:34:15.920Z

Link: CVE-2026-7633

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T15:16:13.890

Modified: 2026-05-02T15:16:13.890

Link: CVE-2026-7633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T15:30:45Z

Weaknesses