CVE-2026-3301

CriticalPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0105 77.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument webWlanIdx results in os command injection.…

The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection flaw in the Totolink N300RH firmware version 6.1c.1353_B20190305 through timely vendor patches.

SI-10 Information Input Validation good match

prevent

Validates the webWlanIdx input parameter in the setWebWlanIdx function of cstecgi.cgi to block OS command injection attacks.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization for the unauthenticated remote web management interface to prevent access to the vulnerable function.

Security SummaryAI

CVE-2026-3301 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink N300RH router on firmware version 6.1c.1353_B20190305. The flaw resides in the setWebWlanIdx function within the /cgi-bin/cstecgi.cgi file of the Web Management Interface. Manipulation of the webWlanIdx argument enables arbitrary OS command execution.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Remote attackers require no authentication, privileges, or user interaction to exploit it over the network with low complexity. Successful exploitation allows full remote code execution, compromising confidentiality, integrity, and availability of the affected device.

Advisories from VulDB (ctiid.348052, id.348052, submit.761297) document the issue, while a public proof-of-concept exploit for RCE is available on GitHub at xyh4ck/iot_poc. The Totolink vendor website provides a reference point for potential firmware updates or mitigation guidance.

A publicly released exploit increases the likelihood of real-world attacks against unpatched Totolink N300RH devices.

Details

CWE(s): CWE-77 CWE-78

Affected Products

totolink

n300rh firmware

6.1c.1349_b20181018, 6.1c.1353_b20190305

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated OS command injection (CWE-78) in the public-facing web management CGI interface (/cgi-bin/cstecgi.cgi) enables exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/N300RHv4/01_setWebWlanIdx_RCE/README.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.348052
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.348052
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.761297
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com