Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to execute arbitrary system commands via the setSyslogCfg function in /cgi-bin/cstecgi.cgi. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS vector (AV:N/AC:L/PR:N) confirms network-accessible exploitation with low complexity and no authentication required, enabling pre-authentication remote code execution on affected routers.
Technical ContextAI
This vulnerability affects the Totolink A3300R wireless router (CPE: cpe:2.3:a:totolink:a3300r), a consumer-grade networking device. The flaw resides in the setSyslogCfg CGI function, which processes syslog configuration parameters through the web management interface at /cgi-bin/cstecgi.cgi. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as OS command injection. The vulnerable code fails to sanitize user-supplied input before passing it to system command execution functions, allowing attackers to inject shell metacharacters and arbitrary commands. This is a typical vulnerability pattern in embedded router firmware where web interfaces directly interact with system-level configuration utilities without proper input validation. The CGI-based architecture and network-facing attack surface make this a critical pre-authentication remote code execution vulnerability.
RemediationAI
Users should immediately check for firmware updates from Totolink at https://www.totolink.net/ and upgrade to the latest available version if a patched release exists. No vendor-released patch version was independently confirmed from available data at time of analysis. As an interim mitigation, disable remote web management access to the router's administrative interface, restricting access to trusted local network segments only. Implement network-level access controls (firewall rules) to prevent external access to TCP ports 80 and 443 on the router's WAN interface. Monitor Totolink security advisories and the VulDB report at https://vuldb.com/vuln/354244 for vendor patch announcements. Given the command injection nature and public exploit availability, consider replacing the device with alternative hardware if vendor support is discontinued or patches are not forthcoming. Conduct network segmentation to isolate IoT and router management interfaces from critical network assets.
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to ex
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attacker
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to exe
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary s
Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attacker
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute ar
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary c
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17279