Skip to main content

A3300R CVE-2026-5177

| EUVDEUVD-2026-17281 LOW
Command Injection (CWE-77)
2026-03-31 VulDB GHSA-mq3w-44cm-pfv8
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 06, 2026 - 15:22 vuln.today
Public exploit code
EUVD ID Assigned
Mar 31, 2026 - 02:30 euvd
EUVD-2026-17281
Analysis Generated
Mar 31, 2026 - 02:30 vuln.today
CVE Published
Mar 31, 2026 - 02:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via manipulation of the rxRate parameter in the setWiFiBasicCfg function at /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 with publicly available exploit code, making it a moderate-priority issue for affected device administrators despite requiring prior authentication.

Technical ContextAI

The vulnerability exists in the CGI endpoint /cgi-bin/cstecgi.cgi within Totolik A3300R firmware, specifically in the setWiFiBasicCfg function. The underlying issue is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-supplied input from the rxRate parameter is not properly sanitized before being used in command construction or execution. This is a classic command injection vulnerability where an attacker can inject shell metacharacters or commands that are then executed with the privileges of the web service process. The affected component manages WiFi configuration settings on this consumer-grade router device.

RemediationAI

Totolink administrators should immediately apply the latest firmware update available for the A3300R device from https://www.totolink.net/. Until patching is possible, restrict access to the device's web management interface to trusted networks only, change any default or weak administrative credentials, and consider disabling remote access to the CGI endpoints if the functionality is not required. The presence of publicly available exploit code makes this vulnerability a priority for urgent patching. Users should verify the firmware version installed and cross-reference against Totolink's security bulletins to confirm whether their specific build is patched.

Share

CVE-2026-5177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy