Description
A weakness has been identified in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: 2.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Totolink WA300 router exposes a command injection flaw in its /cgi-bin/cstecgi.cgi endpoint. By sending a crafted POST request to the setLanguageCfg action, an attacker can manipulate the langType argument to inject arbitrary shell commands. This is a classic command injection vulnerability (CWE‑77) enabled by inadequate input validation (CWE‑74), giving an attacker the ability to execute any command on the device and fully compromise the router’s management plane.

Affected Systems

It affects Totolink WA300 routers running firmware build 5.2cu.7112_B20190227. Devices with this exact firmware version are known to be vulnerable; other firmware builds have not been reported as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score is 3% while the vulnerability is not listed in CISA KEV. A public exploit has been released, meaning an attacker can reach the vulnerable endpoint remotely via an HTTP POST request and compromise any router that accepts such traffic over the network.

Generated by OpenCVE AI on May 4, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to the most recent firmware released by Totolink that fixes the setLanguageCfg command injection.
  • If a firmware update is not yet available, limit access to the /cgi-bin/cstecgi.cgi endpoint to trusted IP addresses or enable local‑only administration.
  • Implement firewall or web‑application‑firewall rules that block POST requests to the router’s admin interface containing shell metacharacters or unexpected parameters.

Generated by OpenCVE AI on May 4, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink wa300
Vendors & Products Totolink wa300

Mon, 04 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
Title Totolink WA300 POST Request cstecgi.cgi setLanguageCfg command injection
First Time appeared Totolink
Totolink wa300 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:totolink:wa300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink wa300 Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Wa300 Wa300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T12:55:27.383Z

Reserved: 2026-05-03T08:09:46.636Z

Link: CVE-2026-7720

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-04T02:15:58.840

Modified: 2026-05-04T15:18:40.077

Link: CVE-2026-7720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T14:45:02Z

Weaknesses