Description
A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issue affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument File can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-04
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow flaw exists in the UploadCustomModule operation of the /cgi-bin/cstecgi.cgi file within Totolink WA300 routers. By supplying a crafted File argument in a POST request, an attacker can overflow a memory buffer, potentially corrupting execution flow. The flaw can be exploited remotely without authentication and could allow arbitrary code execution or denial of service on the affected device.

Affected Systems

The vulnerability is confirmed only in Totolink WA300 devices running firmware version 5.2cu.7112_B20190227. There is insufficient information to determine whether other firmware releases are affected; the status of unmodified code paths in those versions is unknown.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity issue. EPSS information is not available, but the vulnerability is publicly disclosed and can be triggered remotely, indicating a tangible exploitation risk. The issue is not listed in the CISA KEV catalog, yet the lack of mitigation and public exploit availability suggest that attackers may target vulnerable devices in the wild.

Generated by OpenCVE AI on May 4, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Totolink WA300 firmware that patches the buffer overflow
  • If a firmware upgrade is not available, block or restrict access to the /cgi-bin/cstecgi.cgi endpoint using network filtering or firewall rules to prevent unauthenticated POST traffic
  • If the device configuration allows, disable the UploadCustomModule feature to eliminate the vulnerable code path

Generated by OpenCVE AI on May 4, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink wa300
Vendors & Products Totolink wa300

Mon, 04 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issue affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument File can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
Title Totolink WA300 POST Request cstecgi.cgi UploadCustomModule buffer overflow
First Time appeared Totolink
Totolink wa300 Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:totolink:wa300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink wa300 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Wa300 Wa300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T01:00:23.203Z

Reserved: 2026-05-03T08:09:22.039Z

Link: CVE-2026-7717

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T01:16:05.380

Modified: 2026-05-04T01:16:05.380

Link: CVE-2026-7717

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T03:30:35Z

Weaknesses