Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
AnalysisAI
Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the lanIp parameter in the setLanCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists for this vulnerability. With a CVSS score of 5.3 and moderate real-world exploitability, this presents a meaningful risk to affected router installations.
Technical ContextAI
The vulnerability exists in the Parameter Handler component of the Totolink A3300R router firmware, specifically in the setLanCfg function accessible via the web-based CGI interface at /cgi-bin/cstecgi.cgi. The lanIp parameter is improperly validated before being processed, allowing injection of shell metacharacters that are executed by the underlying system command interpreter. This is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection flaw stemming from insufficient input sanitization in a network device's administrative interface. The affected product is identified by CPE cpe:2.3:a:totolink:a3300r and specifically version 17.0.0cu.557_b20221024.
RemediationAI
Users should immediately check the Totolink website (https://www.totolink.net/) for an available firmware update addressing CVE-2026-5101 and upgrade to a patched version if available. As an interim workaround pending patch availability, restrict access to the router's web administrative interface (/cgi-bin/cstecgi.cgi) to trusted IP addresses only via firewall rules or disable remote management if not required. Additionally, change default or weak administrative credentials to prevent unauthorized access to the parameter handler. If patch availability cannot be confirmed from the vendor, consider replacing the device with an alternative router or implementing network segmentation to limit the impact of potential command injection exploitation.
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to e
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to ex
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attacker
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to exe
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary s
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute ar
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary c
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17048