Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Command injection in Totolink WA300 firmware version 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary commands via the hostTime parameter in the NTPSyncWithHost function accessible through /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, though actual real-world exploitation risk is mitigated by the requirement for authenticated access and the low impact scope (limited to confidentiality, integrity, and availability of the application itself, with no system-wide impact).
Technical ContextAI
The vulnerability stems from improper input validation in a CGI script responsible for NTP time synchronization. The NTPSyncWithHost function in /cgi-bin/cstecgi.cgi fails to sanitize the hostTime parameter before passing it to system commands, enabling command injection (CWE-77). This is a classic OS command injection flaw in embedded device firmware where user-supplied input is concatenated into shell commands without proper escaping or parameterization. The affected CPE indicates all versions of the WA300 product line are potentially vulnerable, though only version 5.2cu.7112_B20190227 was explicitly confirmed in the report.
RemediationAI
Upgrade Totolink WA300 device firmware to the latest available version released after the vulnerability disclosure (versions beyond 5.2cu.7112_B20190227). Contact Totolink support at www.totolink.net to obtain patched firmware releases. As an interim compensating control, restrict network access to the /cgi-bin/cstecgi.cgi endpoint via firewall rules, limiting CGI access to trusted administrative subnets only. Additionally, enforce strong authentication for device web administration by changing default credentials, disabling default accounts, and implementing IP-based access restrictions to the management interface. Monitor access logs for suspicious patterns targeting NTP-related parameters (hostTime) in CGI requests. If firmware patching is delayed, disable NTP time synchronization features via remote access if possible, or use external trusted time sources instead of device-supplied NTP endpoints.
Remote unauthenticated buffer overflow in Totolink WA300 wireless repeater firmware version 5.2cu.7112_B20190227 enables
Buffer overflow in Totolink WA300 wireless range extender firmware 5.2cu.7112_B20190227 allows authenticated remote atta
A critical OS command injection vulnerability exists in Totolink WA300 router firmware version 5.2cu.7112_B20190227, spe
Command injection in Totolink WA300 5.2cu.7112_B20190227 allows authenticated remote attackers to execute arbitrary comm
Command injection in Totolink WA300 firmware version 5.2cu.7112_B20190227 allows authenticated remote attackers to execu
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26874