Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
AnalysisAI
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the vlanPriLan3 parameter in the setIptvCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and carries moderate severity (CVSS 6.3) with confirmed exploitability signals (EPSS P/E indicator). Successful exploitation grants an authenticated attacker the ability to manipulate VLAN priority settings and potentially gain code execution on the affected router.
Technical ContextAI
The vulnerability exists in the Totolink A3300R router's web interface CGI script (/cgi-bin/cstecgi.cgi), specifically within the setIptvCfg function responsible for IPTV configuration management. The root cause is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command). The vlanPriLan3 parameter is passed directly to system commands without sufficient input validation or sanitization, allowing an attacker to inject shell metacharacters and execute arbitrary operating system commands. This is a classic command injection vulnerability affecting embedded network devices where CGI scripts often interface directly with system-level configuration commands. The CPE cpe:2.3:a:totolink:a3300r indicates this affects all versions of the Totolink A3300R product line.
RemediationAI
Users should immediately contact Totolink for firmware updates, as no patch version is independently confirmed in the available advisory data. Pending vendor-released security patches, temporary mitigation measures include restricting network access to the router's web interface (/cgi-bin/cstecgi.cgi) through firewall rules or IP whitelisting on the administrative network segment, disabling remote management features if not required, implementing strong authentication controls to limit credential compromise, and segregating the router's management interface from untrusted network segments. Organizations should regularly monitor https://www.totolink.net/ and https://vuldb.com/vuln/354246 for available security updates and apply patches immediately upon release.
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to e
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to ex
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attacker
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to exe
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary s
Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attacker
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary c
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17309
GHSA-w3qx-79f2-f95x