CVE-2026-5105
Published: March 30, 2026
Description
A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Security Summary
CVE-2026-5105 is a command injection vulnerability affecting the Totolink A3300R router in version 17.0.0cu.557_b20221024. The flaw exists in the setVpnPassCfg function of the /cgi-bin/cstecgi.cgi file within the Parameter Handler component, where manipulation of the pptpPassThru argument enables command injection. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability allows remote exploitation by attackers possessing low privileges, such as authenticated users, with no need for user interaction. Successful attacks can result in limited impacts to confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the targeted device.
Advisories and references, including VulDB entries at https://vuldb.com/vuln/354130 and https://vuldb.com/submit/779143, detail the issue, while a public proof-of-concept exploit is available on GitHub at https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_pptpPassThru_cmd_inject. The vendor's site at https://www.totolink.net/ should be consulted for any patches or mitigation guidance.
The exploit is now public and may be used, heightening the risk for unpatched Totolink A3300R devices exposed to the internet.
Details
- CWE(s)