Skip to main content

A3300R CVE-2026-5178

| EUVDEUVD-2026-17309 LOW
Command Injection (CWE-77)
2026-03-31 VulDB GHSA-w3qx-79f2-f95x
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 06, 2026 - 15:21 vuln.today
Public exploit code
EUVD ID Assigned
Mar 31, 2026 - 03:45 euvd
EUVD-2026-17309
Analysis Generated
Mar 31, 2026 - 03:45 vuln.today
CVE Published
Mar 31, 2026 - 03:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

AnalysisAI

Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the vlanPriLan3 parameter in the setIptvCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and carries moderate severity (CVSS 6.3) with confirmed exploitability signals (EPSS P/E indicator). Successful exploitation grants an authenticated attacker the ability to manipulate VLAN priority settings and potentially gain code execution on the affected router.

Technical ContextAI

The vulnerability exists in the Totolink A3300R router's web interface CGI script (/cgi-bin/cstecgi.cgi), specifically within the setIptvCfg function responsible for IPTV configuration management. The root cause is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command). The vlanPriLan3 parameter is passed directly to system commands without sufficient input validation or sanitization, allowing an attacker to inject shell metacharacters and execute arbitrary operating system commands. This is a classic command injection vulnerability affecting embedded network devices where CGI scripts often interface directly with system-level configuration commands. The CPE cpe:2.3:a:totolink:a3300r indicates this affects all versions of the Totolink A3300R product line.

RemediationAI

Users should immediately contact Totolink for firmware updates, as no patch version is independently confirmed in the available advisory data. Pending vendor-released security patches, temporary mitigation measures include restricting network access to the router's web interface (/cgi-bin/cstecgi.cgi) through firewall rules or IP whitelisting on the administrative network segment, disabling remote management features if not required, implementing strong authentication controls to limit credential compromise, and segregating the router's management interface from untrusted network segments. Organizations should regularly monitor https://www.totolink.net/ and https://vuldb.com/vuln/354246 for available security updates and apply patches immediately upon release.

Share

CVE-2026-5178 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy