Skip to main content

A3300R CVE-2026-5104

| EUVDEUVD-2026-17054 LOW
Command Injection (CWE-77)
2026-03-30 VulDB GHSA-83j7-f6w3-6wmp
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 15:41 vuln.today
Public exploit code
EUVD ID Assigned
Mar 30, 2026 - 02:30 euvd
EUVD-2026-17054
Analysis Generated
Mar 30, 2026 - 02:30 vuln.today
CVE Published
Mar 30, 2026 - 02:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

AnalysisAI

Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via a crafted ip parameter in the setStaticRoute function of /cgi-bin/cstecgi.cgi. The vulnerability carries a CVSS score of 6.3 (medium severity) with public exploit code available, enabling potential compromise of router configuration and data integrity.

Technical ContextAI

The vulnerability stems from improper input validation in the CGI script handler cstecgi.cgi, specifically in the setStaticRoute function which processes static routing configuration. The flaw is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-supplied input from the ip parameter is not properly sanitized before being passed to command execution contexts. Totolink A3300R is a consumer-grade WiFi router; the affected CPE range encompasses multiple firmware versions of this device model. The web-based administration interface accessible via /cgi-bin/cstecgi.cgi is the attack surface, requiring the attacker to have authenticated access (PR:L per CVSS vector), suggesting the vulnerability exploits weak default credentials, session hijacking, or cross-site request forgery on already-authenticated sessions.

RemediationAI

Verify current firmware version and check Totolink's official support portal (https://www.totolink.net/) for available firmware updates to a version later than 17.0.0cu.557_b20221024. Immediate workarounds include: restricting administrative interface access via firewall rules to trusted networks only, changing default router credentials to strong unique passwords, disabling remote management features if not required, and isolating router administration to a separate management VLAN. Given the low bar for exploitation (weak credentials), credential hygiene is critical. If a patched firmware version becomes available from Totolink, apply it immediately via the router's web interface or management tools.

Share

CVE-2026-5104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy