Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
AnalysisAI
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via a crafted ip parameter in the setStaticRoute function of /cgi-bin/cstecgi.cgi. The vulnerability carries a CVSS score of 6.3 (medium severity) with public exploit code available, enabling potential compromise of router configuration and data integrity.
Technical ContextAI
The vulnerability stems from improper input validation in the CGI script handler cstecgi.cgi, specifically in the setStaticRoute function which processes static routing configuration. The flaw is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-supplied input from the ip parameter is not properly sanitized before being passed to command execution contexts. Totolink A3300R is a consumer-grade WiFi router; the affected CPE range encompasses multiple firmware versions of this device model. The web-based administration interface accessible via /cgi-bin/cstecgi.cgi is the attack surface, requiring the attacker to have authenticated access (PR:L per CVSS vector), suggesting the vulnerability exploits weak default credentials, session hijacking, or cross-site request forgery on already-authenticated sessions.
RemediationAI
Verify current firmware version and check Totolink's official support portal (https://www.totolink.net/) for available firmware updates to a version later than 17.0.0cu.557_b20221024. Immediate workarounds include: restricting administrative interface access via firewall rules to trusted networks only, changing default router credentials to strong unique passwords, disabling remote management features if not required, and isolating router administration to a separate management VLAN. Given the low bar for exploitation (weak credentials), credential hygiene is critical. If a patched firmware version becomes available from Totolink, apply it immediately via the router's web interface or management tools.
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to e
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to ex
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to exe
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary s
Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attacker
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute ar
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary c
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17054
GHSA-83j7-f6w3-6wmp