CVE-2026-4497

HighPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0073 72.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and…

may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation of untrusted inputs to the vulnerable recvUpgradeNewFw function in cstecgi.cgi.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of the specific command injection flaw in Totolink WA300 firmware version 5.2cu.7112_B20190227.

SC-14 Public Access Protections good match

prevent

Protects publicly accessible router web interfaces like the vulnerable CGI endpoint from unauthorized remote access and malicious code execution via command injection.

Security SummaryAI

CVE-2026-4497 is an OS command injection vulnerability (CWE-77, CWE-78) in the Totolink WA300 router firmware version 5.2cu.7112_B20190227. The flaw affects the recvUpgradeNewFw function in the /cgi-bin/cstecgi.cgi file, enabling attackers to inject operating system commands through manipulated input.

The vulnerability allows remote exploitation without authentication or user interaction, as reflected in its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Any network-accessible attacker can trigger the issue, achieving partial impacts on confidentiality, integrity, and availability via arbitrary command execution on the device.

Advisories from VulDB and GitHub references, including a proof-of-concept exploit ZIP file, confirm the vulnerability's details and public disclosure. No vendor patches or specific mitigations are outlined in the provided sources.

Details

CWE(s): CWE-77 CWE-78

Affected Products

totolink

wa300 firmware

5.2cu.7112_b20190227

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web application (router CGI) for arbitrary OS command execution on a network device CLI.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/hellonestor/killallbug/issues/1
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/user-attachments/files/25790616/Unauthenticated.Remote.Code.Execution.in.TOTOLINK.WA300.via.Command.Injection.in.recvUpgradeNewFw.zip
Exploit · cna@vuldb.com
https://vuldb.com/?ctiid.352046
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.352046
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.773875
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com