Description
A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: 4.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows attackers to inject arbitrary operating‑system commands by manipulating the hostTime parameter in the NTPSyncWithHost function of /cgi-bin/cstecgi.cgi. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

Affected Systems

The flaw exists in Totolink WA300 routers running firmware version 5.2cu.7112_B20190227. Only devices released with this specific firmware revision are impacted; versions without this revision are not listed as affected.

Risk and Exploitability

A CVSS score of 5.3 indicates moderate severity. The EPSS score of 5% suggests a modest probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Publicly disclosed exploits exist, showing that attackers could weaponise the flaw. Remote attackers can construct a malicious HTTP request to /cgi-bin/cstecgi.cgi, supplying a crafted hostTime value that results in arbitrary command execution on the router’s operating system.

Generated by OpenCVE AI on May 10, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest Totolink WA300 firmware that contains the fix for the command injection vulnerability.
  • If a firmware update is not immediately available, block or restrict external access to the /cgi-bin/cstecgi.cgi script via the device’s firewall or network segmentation to prevent remote requests.
  • Continuously monitor device logs and network traffic for suspicious requests targeting the hostTime parameter, and apply additional intrusion detection or hardening measures as needed.

Generated by OpenCVE AI on May 10, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink wa300
Vendors & Products Totolink wa300

Mon, 04 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title Totolink WA300 cstecgi.cgi NTPSyncWithHost command injection
First Time appeared Totolink
Totolink wa300 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:totolink:wa300_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink wa300 Firmware
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Wa300 Wa300 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-04T17:50:11.917Z

Reserved: 2026-05-03T08:09:52.083Z

Link: CVE-2026-7721

cve-icon Vulnrichment

Updated: 2026-05-04T16:36:25.500Z

cve-icon NVD

Status : Deferred

Published: 2026-05-04T03:16:12.683

Modified: 2026-05-04T15:18:40.077

Link: CVE-2026-7721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:15:14Z

Weaknesses