CVE-2026-5104

MediumPublic PoC

Published: 30 March 2026

Published

30 March 2026

Modified

30 March 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0267 85.9th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been…

disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of the untrusted 'ip' argument in the setStaticRoute CGI function.

SI-2 Flaw Remediation good match

prevent

Addresses the root cause flaw through timely firmware remediation to fix improper neutralization of special elements in the affected CGI script.

AC-6 Least Privilege partial match

prevent

Limits damage from exploited command injection by enforcing least privilege on low-privileged authenticated users accessing the vulnerable endpoint.

Security SummaryAI

CVE-2026-5104 is a command injection vulnerability in the Totolink A3300R router running firmware version 17.0.0cu.557_b20221024. The flaw resides in the setStaticRoute function within the /cgi-bin/cstecgi.cgi script, where insufficient validation of the 'ip' argument allows attackers to inject arbitrary commands. This issue is classified under CWE-74 (improper neutralization of special elements) and CWE-77 (command injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts, including low-level disclosure of confidential information, modification of data or settings, and denial of service through partial availability disruption.

Advisories note that the exploit has been publicly disclosed, with proof-of-concept code available on GitHub at https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_ip_cmd_inject. Additional details are documented on VulDB (https://vuldb.com/vuln/354129 and related pages), and the vendor's site is at https://www.totolink.net/, though no specific patch information is detailed in the provided references. Security practitioners should monitor for firmware updates and restrict access to the affected CGI endpoint.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection in a public-facing router web CGI script (T1190: Exploit Public-Facing Application), enabling arbitrary Unix shell command execution (T1059.004: Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_ip_cmd_inject
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/779142
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354129
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354129/cti
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com