CVE-2026-3696

HighPublic PoC

Published: 08 March 2026

Published

08 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0054 67.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Totolink N300RH 6..1c.1353_B20190305. The affected element is the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit…

has been made public and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation and sanitization of inputs to the vulnerable setWiFiWpsConfig function in /cgi-bin/cstecgi.cgi.

SC-14 Public Access Protections good match

prevent

Protects the publicly accessible CGI handler from unauthorized remote manipulation, mitigating the network-accessible unauthenticated exploitation vector.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, prioritization, and remediation of the specific command injection flaw in Totolink N300RH firmware version 6.1c.1353_B20190305.

Security SummaryAI

CVE-2026-3696 is an OS command injection vulnerability (CWE-77, CWE-78) in the Totolink N300RH router running firmware version 6..1c.1353_B20190305. The issue resides in the setWiFiWpsConfig function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers can exploit this vulnerability without authentication or user interaction by manipulating the affected function, leading to arbitrary OS command execution. Successful exploitation grants limited impact on confidentiality, integrity, and availability, potentially allowing attackers to run commands on the device.

Advisories and details are available via VulDB entries (ctiid.349642, id.349642, submit.765681) and a GitHub vulnerability research issue. The Totolink manufacturer website is also referenced, though specific patch or mitigation guidance is not detailed in the CVE publication from March 8, 2026. A public exploit exists, increasing the risk of real-world attacks.

Details

CWE(s): CWE-77 CWE-78

Affected Products

totolink

n300rh firmware

6.1c.1353_b20190305

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote OS command injection via public-facing CGI interface on router (T1190), facilitating command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/JXBbozaihuang/vuln-research/issues/2
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.349642
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.349642
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.765681
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com