Skip to main content

A3300R CVE-2026-5176

| EUVDEUVD-2026-17279 MEDIUM
Command Injection (CWE-77)
2026-03-31 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 06, 2026 - 15:35 vuln.today
Public exploit code
EUVD ID Assigned
Mar 31, 2026 - 01:45 euvd
EUVD-2026-17279
Analysis Generated
Mar 31, 2026 - 01:45 vuln.today
CVE Published
Mar 31, 2026 - 01:15 nvd
MEDIUM 6.9

DescriptionCVE.org

A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to execute arbitrary system commands via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation with low complexity and no authentication required, enabling pre-authentication remote code execution on affected routers.

Technical ContextAI

This vulnerability affects the Totolink A3300R wireless router (CPE: cpe:2.3:a:totolink:a3300r), a consumer-grade networking device. The flaw resides in the setSyslogCfg CGI function, which processes syslog configuration parameters through the web management interface at /cgi-bin/cstecgi.cgi. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as OS command injection. The vulnerable code fails to sanitize user-supplied input before passing it to system command execution functions, allowing attackers to inject shell metacharacters and arbitrary commands. This is a typical vulnerability pattern in embedded router firmware where web interfaces directly interact with system-level configuration utilities without proper input validation. The CGI-based architecture and network-facing attack surface make this a critical pre-authentication remote code execution vulnerability.

RemediationAI

Users should immediately check for firmware updates from Totolink at https://www.totolink.net/ and upgrade to the latest available version if a patched release exists. No vendor-released patch version was independently confirmed from available data at time of analysis. As an interim mitigation, disable remote web management access to the router's administrative interface, restricting access to trusted local network segments only. Implement network-level access controls (firewall rules) to prevent external access to TCP ports 80 and 443 on the router's WAN interface. Monitor Totolink security advisories and the VulDB report at https://vuldb.com/vuln/354244 for vendor patch announcements. Given the command injection nature and public exploit availability, consider replacing the device with alternative hardware if vendor support is discontinued or patches are not forthcoming. Conduct network segmentation to isolate IoT and router management interfaces from critical network assets.

Share

CVE-2026-5176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy