Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument qos_up_bw results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary system commands via the qos_up_bw parameter in the setSmartQosCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (medium severity) with low attack complexity, and publicly available exploit code exists, though no active exploitation via CISA KEV has been confirmed at time of analysis.
Technical ContextAI
The vulnerability resides in the Parameter Handler component of Totolink's web-based management interface (cstecgi.cgi), specifically in the setSmartQosCfg function which handles Quality of Service bandwidth configuration. The root cause is improper input validation of the qos_up_bw parameter, classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), allowing an attacker to inject shell metacharacters or command separators. The affected device is the Totolink A3300R wireless router, a consumer-grade networking device that exposes this CGI endpoint via HTTP/HTTPS without sufficient input sanitization.
RemediationAI
Users should immediately contact Totolink for patched firmware versions, as no specific vendor-released patch version is referenced in available data. In the interim, restrict network access to the router's management interface (typically port 80/443) to trusted IP addresses only, change default administrative credentials if not already done, and consider disabling remote management features if not required. Firmware updates, when available, should be obtained exclusively from Totolink's official website at https://www.totolink.net/. Organizations managing multiple A3300R units should prioritize patching and credential rotation, as the low attack complexity and public POC availability create elevated attack probability for networked environments.
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to e
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to ex
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attacker
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to exe
Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attacker
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute ar
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary c
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17050
GHSA-h2wr-p8mq-wj29