CVE-2026-5103

MediumPublic PoC

Published: 30 March 2026

Published

30 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0267 85.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has…

been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the specific command injection flaw in the Totolink A3300R router's setUPnPCfg CGI function via patching or updates.

SI-10 Information Input Validation good match

prevent

Mandates validation and sanitization of the 'enable' argument to prevent arbitrary command injection in the vulnerable CGI endpoint.

CM-7 Least Functionality partial match

prevent

Restricts or prohibits unnecessary UPnP configuration functionality and exposed CGI endpoints to reduce the attack surface for remote exploitation.

Security SummaryAI

CVE-2026-5103 is a command injection vulnerability (CWE-74, CWE-77) affecting the Totolink A3300R router in version 17.0.0cu.557_b20221024. The flaw exists in the setUPnPCfg function of the /cgi-bin/cstecgi.cgi file, where manipulation of the "enable" argument enables arbitrary command execution.

The vulnerability is exploitable remotely over the network with low complexity and low privileges required (PR:L), requiring no user interaction and maintaining unchanged scope. Attackers can achieve limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). A public exploit is available, facilitating potential attacks.

Advisories referenced in VulDB entries (including submission and CTI details) document the issue, while a GitHub repository provides exploit code. The Totolink vendor website is also listed for further reference; practitioners should check these sources for any patch availability or mitigation guidance.

The exploit's public availability increases the risk of real-world attacks against unpatched Totolink A3300R devices.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in public-facing router CGI script enables remote exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_enable_cmd_inject
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/779140
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354128
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354128/cti
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com