Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used.
AnalysisAI
OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to execute arbitrary commands via the stun_pass parameter in the vsetTr069Cfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 5.1 (medium severity) with CVSS:4.0/AV:A/AC:L/PR:L vector indicating adjacent network access and low authentication requirements. Publicly available exploit code exists, though active exploitation status (CISA KEV) is not confirmed.
Technical ContextAI
This vulnerability exploits improper input validation in the vsetTr069Cfg CGI function, a component of Totolink A3300R router firmware. The stun_pass parameter is passed unsanitized to an OS command execution context, enabling CWE-78 OS command injection. The Totolink A3300R is a residential wireless router (CPE: cpe:2.3:a:totolink:a3300r:*:*:*:*:*:*:*:*) commonly deployed in enterprise and home networks. The /cgi-bin/cstecgi.cgi endpoint handles TR-069 (CPE WAN Management Protocol) configuration, making this function a direct interface to device management. Attackers with low-privilege access (authenticated users on the adjacent network) can inject shell metacharacters into the stun_pass field to break out of the intended command context and execute arbitrary code with the privileges of the CGI process.
RemediationAI
Check Totolink's official website (https://www.totolink.net/) for the latest firmware release for the A3300R model and upgrade immediately if a patched version is available. If no official patch has been released, restrict network access to the router's management interface by disabling remote management, limiting administrative access to trusted hosts only, and segmenting the router's management VLAN from untrusted network segments. Apply strong authentication credentials (long, complex passwords) to any user accounts with access to the router's web interface. Monitor Totolink security advisories and VulDB (https://vuldb.com/vuln/355506) for patch availability confirmation.
Command injection in Totolink A3300R router firmware 17.0.0cu.557_b20221024 allows unauthenticated remote attackers to e
Command injection in Totolink A3300R firmware version 17.0.0cu.557_b20221024 allows authenticated remote attackers to ex
Command injection in Totolink A3300R router firmware version 17.0.0cu.557_b20221024 allows authenticated remote attacker
Remote command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to exe
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary s
Command injection in Totolink A3300R firmware versions up to 17.0.0cu.557_b20221024 allows authenticated remote attacker
Command injection in Totolink A3300R firmware 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute ar
Command injection in Totolink A3300R 17.0.0cu.557_b20221024 allows authenticated remote attackers to execute arbitrary c
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19464
GHSA-cmq3-f6cg-p3p7