Skip to main content

A3300R EUVDEUVD-2026-19464

| CVE-2026-5679 LOW
OS Command Injection (CWE-78)
2026-04-06 VulDB GHSA-cmq3-f6cg-p3p7
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.1 (MEDIUM) 2.0 (LOW)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 19:30 euvd
EUVD-2026-19464
Analysis Generated
Apr 06, 2026 - 19:30 vuln.today
CVE Published
Apr 06, 2026 - 19:00 nvd
MEDIUM 5.1

DescriptionCVE.org

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used.

AnalysisAI

OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to execute arbitrary commands via the stun_pass parameter in the vsetTr069Cfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 5.1 (medium severity) with CVSS:4.0/AV:A/AC:L/PR:L vector indicating adjacent network access and low authentication requirements. Publicly available exploit code exists, though active exploitation status (CISA KEV) is not confirmed.

Technical ContextAI

This vulnerability exploits improper input validation in the vsetTr069Cfg CGI function, a component of Totolink A3300R router firmware. The stun_pass parameter is passed unsanitized to an OS command execution context, enabling CWE-78 OS command injection. The Totolink A3300R is a residential wireless router (CPE: cpe:2.3:a:totolink:a3300r:*:*:*:*:*:*:*:*) commonly deployed in enterprise and home networks. The /cgi-bin/cstecgi.cgi endpoint handles TR-069 (CPE WAN Management Protocol) configuration, making this function a direct interface to device management. Attackers with low-privilege access (authenticated users on the adjacent network) can inject shell metacharacters into the stun_pass field to break out of the intended command context and execute arbitrary code with the privileges of the CGI process.

RemediationAI

Check Totolink's official website (https://www.totolink.net/) for the latest firmware release for the A3300R model and upgrade immediately if a patched version is available. If no official patch has been released, restrict network access to the router's management interface by disabling remote management, limiting administrative access to trusted hosts only, and segmenting the router's management VLAN from untrusted network segments. Apply strong authentication credentials (long, complex passwords) to any user accounts with access to the router's web interface. Monitor Totolink security advisories and VulDB (https://vuldb.com/vuln/355506) for patch availability confirmation.

Share

EUVD-2026-19464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy