Skip to main content

Totolink WA300 CVE-2026-7721

| EUVDEUVD-2026-26874 LOW
Command Injection (CWE-77)
2026-05-04 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
PoC Detected
May 04, 2026 - 15:18 vuln.today
Public exploit code
Analysis Generated
May 04, 2026 - 03:30 vuln.today
Severity Changed
May 04, 2026 - 03:22 NVD
MEDIUM LOW
CVSS changed
May 04, 2026 - 03:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
EUVD ID Assigned
May 04, 2026 - 03:00 euvd
EUVD-2026-26874
Analysis Generated
May 04, 2026 - 03:00 vuln.today
CVE Published
May 04, 2026 - 02:00 nvd
LOW 2.1

DescriptionCVE.org

A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Command injection in Totolink WA300 firmware version 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary commands via the hostTime parameter in the NTPSyncWithHost function accessible through /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, though actual real-world exploitation risk is mitigated by the requirement for authenticated access and the low impact scope (limited to confidentiality, integrity, and availability of the application itself, with no system-wide impact).

Technical ContextAI

The vulnerability stems from improper input validation in a CGI script responsible for NTP time synchronization. The NTPSyncWithHost function in /cgi-bin/cstecgi.cgi fails to sanitize the hostTime parameter before passing it to system commands, enabling command injection (CWE-77). This is a classic OS command injection flaw in embedded device firmware where user-supplied input is concatenated into shell commands without proper escaping or parameterization. The affected CPE indicates all versions of the WA300 product line are potentially vulnerable, though only version 5.2cu.7112_B20190227 was explicitly confirmed in the report.

RemediationAI

Upgrade Totolink WA300 device firmware to the latest available version released after the vulnerability disclosure (versions beyond 5.2cu.7112_B20190227). Contact Totolink support at www.totolink.net to obtain patched firmware releases. As an interim compensating control, restrict network access to the /cgi-bin/cstecgi.cgi endpoint via firewall rules, limiting CGI access to trusted administrative subnets only. Additionally, enforce strong authentication for device web administration by changing default credentials, disabling default accounts, and implementing IP-based access restrictions to the management interface. Monitor access logs for suspicious patterns targeting NTP-related parameters (hostTime) in CGI requests. If firmware patching is delayed, disable NTP time synchronization features via remote access if possible, or use external trusted time sources instead of device-supplied NTP endpoints.

Share

CVE-2026-7721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy