Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
AnalysisAI
Command injection in Totolink A3600R firmware 4.1.2cu.5182_B20201102 allows authenticated remote attackers to execute arbitrary commands via the NoticeUrl parameter in the setNoticeCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (low-to-medium severity) but is confirmed by publicly available exploit code, making it an active threat to deployed devices despite the authentication requirement.
Technical ContextAI
The vulnerability exists in the Parameter Handler component of the Totolink A3600R router's web interface. The setNoticeCfg function fails to properly sanitize user-supplied input in the NoticeUrl parameter before passing it to system command execution, violating CWE-77 (Improper Neutralization of Special Elements used in a Command). The web-accessible CGI script /cgi-bin/cstecgi.cgi processes this parameter without input validation, allowing an authenticated user to inject shell metacharacters and execute arbitrary operating system commands on the router with the privileges of the CGI process.
RemediationAI
Apply the latest firmware patch released by Totolink for the A3600R model, available at https://www.totolink.net/. If an updated firmware version with a build number later than 5182_B20201102 is available, download and flash it via the router's web interface or management console following Totolink's official upgrade procedures. As an interim mitigation, restrict access to the router's web management interface to trusted IP addresses only using firewall rules or router ACLs, and ensure all administrative accounts use strong, unique passwords to reduce the risk of credential compromise. Additionally, disable remote management features if not actively required.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16961