Skip to main content

A3300R CVE-2026-5102

| EUVDEUVD-2026-17050 LOW
Command Injection (CWE-77)
2026-03-30 VulDB GHSA-h2wr-p8mq-wj29
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 15:49 vuln.today
Public exploit code
EUVD ID Assigned
Mar 30, 2026 - 00:15 euvd
EUVD-2026-17050
Analysis Generated
Mar 30, 2026 - 00:15 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument qos_up_bw results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary system commands via the qos_up_bw parameter in the setSmartQosCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with low attack complexity, and publicly available exploit code exists, though no active exploitation via CISA KEV has been confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in the Parameter Handler component of Totolink's web-based management interface (cstecgi.cgi), specifically in the setSmartQosCfg function which handles Quality of Service bandwidth configuration. The root cause is improper input validation of the qos_up_bw parameter, classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), allowing an attacker to inject shell metacharacters or command separators. The affected device is the Totolink A3300R wireless router, a consumer-grade networking device that exposes this CGI endpoint via HTTP/HTTPS without sufficient input sanitization.

RemediationAI

Users should immediately contact Totolink for patched firmware versions, as no specific vendor-released patch version is referenced in available data. In the interim, restrict network access to the router's management interface (typically port 80/443) to trusted IP addresses only, change default administrative credentials if not already done, and consider disabling remote management features if not required. Firmware updates, when available, should be obtained exclusively from Totolink's official website at https://www.totolink.net/. Organizations managing multiple A3300R units should prioritize patching and credential rotation, as the low attack complexity and public POC availability create elevated attack probability for networked environments.

Share

CVE-2026-5102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy