CVE-2026-0641

MediumPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0212 84.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been…

disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates command injection by requiring validation and sanitization of the UPLOAD_FILENAME argument in cstecgi.cgi to reject malicious payloads.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in sub_401510 by mandating identification, testing, and deployment of firmware patches or updates for the TOTOLINK WA300 router.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary command execution from injected UPLOAD_FILENAME by enforcing least privilege on router processes and authenticated users.

Security SummaryAI

CVE-2026-0641 is a command injection vulnerability affecting the TOTOLINK WA300 router on firmware version 5.2cu.7112_B20190227. The issue resides in the sub_401510 function within the cstecgi.cgi file, where manipulation of the UPLOAD_FILENAME argument enables attackers to inject and execute arbitrary commands.

The vulnerability is exploitable remotely over the network with low complexity and no user interaction required, but it necessitates low privileges (PR:L) such as an authenticated user account. Exploitation yields limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve remote code execution via the disclosed proof-of-concept.

Advisories on VulDB (ctiid.339684, id.339684) and a GitHub repository (https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md, including PoC at #poc) detail the vulnerability and exploit, but no specific patches or vendor mitigations are referenced in the available information.

The exploit has been publicly disclosed and may be used, with associated CWEs CWE-74 and CWE-77 highlighting improper neutralization of special elements in commands.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

wa300 firmware

5.2cu.7112_b20190227

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via command injection in a CGI script, leading to arbitrary Unix shell command execution (T1059.004) on the router.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.339684
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.339684
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.732234
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com