CVE-2026-5177

MediumPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0069 71.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The…

exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the command injection flaw in the Totolink A3300R firmware by identifying, reporting, and applying patches to the vulnerable setWiFiBasicCfg function.

SI-10 Information Input Validation good match

prevent

Requires validation of the rxRate argument to ensure it contains only expected content, preventing command injection in the cgi-bin/cstecgi.cgi script.

SI-9 Information Input Restrictions good match

prevent

Restricts the rxRate input parameter to authorized formats and values such as numeric rates only, blocking injection payloads.

Security SummaryAI

CVE-2026-5177 is a command injection vulnerability affecting the Totolink A3300R router running firmware version 17.0.0cu.557_b20221024. The flaw resides in the setWiFiBasicCfg function within the /cgi-bin/cstecgi.cgi script, where manipulation of the rxRate argument enables attackers to inject arbitrary commands. This issue is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by authenticated users with low privileges, such as standard administrative access to the router's web interface. Successful exploitation allows limited impacts, including partial compromise of confidentiality, integrity, and availability on the targeted device, potentially enabling further network reconnaissance or pivoting within the local environment.

Advisories and references, including those from VulDB (vuln/354245) and a public GitHub repository (LvHongW/Vuln-of-totolink_A3300R), detail the vulnerability and provide a proof-of-concept exploit for the rxRate command injection. The Totolink vendor website (totolink.net) is referenced for potential firmware updates or mitigation guidance, though no specific patches are detailed in the available sources.

A publicly available exploit on GitHub heightens the risk of real-world attacks against unpatched Totolink A3300R devices.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection via authenticated web interface on public-facing router directly enables T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_rxRate_cmd_inject
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/779146
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354245
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354245/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com