Skip to main content

A3300R EUVDEUVD-2026-17048

| CVE-2026-5101 LOW
Command Injection (CWE-77)
2026-03-29 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 15:45 vuln.today
Public exploit code
EUVD ID Assigned
Mar 29, 2026 - 23:15 euvd
EUVD-2026-17048
Analysis Generated
Mar 29, 2026 - 23:15 vuln.today
CVE Published
Mar 29, 2026 - 23:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

AnalysisAI

Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary commands via the lanIp parameter in the setLanCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists for this vulnerability. With a CVSS score of 5.3 and moderate real-world exploitability, this presents a meaningful risk to affected router installations.

Technical ContextAI

The vulnerability exists in the Parameter Handler component of the Totolink A3300R router firmware, specifically in the setLanCfg function accessible via the web-based CGI interface at /cgi-bin/cstecgi.cgi. The lanIp parameter is improperly validated before being processed, allowing injection of shell metacharacters that are executed by the underlying system command interpreter. This is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection flaw stemming from insufficient input sanitization in a network device's administrative interface. The affected product is identified by CPE cpe:2.3:a:totolink:a3300r and specifically version 17.0.0cu.557_b20221024.

RemediationAI

Users should immediately check the Totolink website (https://www.totolink.net/) for an available firmware update addressing CVE-2026-5101 and upgrade to a patched version if available. As an interim workaround pending patch availability, restrict access to the router's web administrative interface (/cgi-bin/cstecgi.cgi) to trusted IP addresses only via firewall rules or disable remote management if not required. Additionally, change default or weak administrative credentials to prevent unauthorized access to the parameter handler. If patch availability cannot be confirmed from the vendor, consider replacing the device with an alternative router or implementing network segmentation to limit the impact of potential command injection exploitation.

Share

EUVD-2026-17048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy