CVE-2026-5176

HighPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0192 83.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been…

released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection vulnerability by validating arguments provided to the setSyslogCfg function in cstecgi.cgi.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific command injection flaw through patching or firmware updates.

SC-14 Public Access Protections good match

prevent

Enforces authorizations and security requirements on the publicly accessible vulnerable CGI endpoint to block unauthenticated remote exploitation.

Security SummaryAI

CVE-2026-5176 is a command injection vulnerability affecting the Totolink A3300R router on firmware version 17.0.0cu.557_b20221024. The flaw resides in the setSyslogCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of a provided argument enables arbitrary command execution.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required, per its CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, yielding a base score of 7.3. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, mapped to CWEs-74 and CWE-77.

Advisories and references, including VulDB entries at https://vuldb.com/vuln/354244 and https://vuldb.com/submit/779145, detail the issue, while a public exploit is available at https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_rtLogServer_cmd_inject. The manufacturer's site at https://www.totolink.net/ provides further context.

The exploit has been released publicly and may be used for attacks, as noted in the CVE description published on 2026-03-31.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection in a public-facing CGI web interface on a router, enabling unauthenticated remote exploitation (T1190) for arbitrary command execution akin to network device CLI abuse (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_rtLogServer_cmd_inject
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/779145
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354244
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354244/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com