CVE-2026-5178

MediumPublic PoC

Published: 31 March 2026

Published

31 March 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0069 71.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The…

exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and correction of the specific command injection flaw in the Totolink A3300R firmware's setIptvCfg function.

SI-10 Information Input Validation good match

prevent

Mandates validation of untrusted inputs like the vlanPriLan3 argument to block command injection in /cgi-bin/cstecgi.cgi.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables automated scanning and monitoring to identify systems affected by CVE-2026-5178 in the vulnerable firmware version.

Security SummaryAI

CVE-2026-5178 is a command injection vulnerability (CWE-74, CWE-77) in the Totolink A3300R router, specifically firmware version 17.0.0cu.557_b20221024. The flaw resides in the setIptvCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the vlanPriLan3 argument enables command injection.

The vulnerability allows remote exploitation over the network with low attack complexity and requires low privileges (PR:L) but no user interaction. Per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), an attacker with authenticated low-privilege access can achieve low-level impacts on confidentiality, integrity, and availability through injected commands.

Advisories note that the exploit has been publicly disclosed and is available as a proof-of-concept on GitHub (https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_vlanPriLan3_cmd_inject), with further details on VulDB (https://vuldb.com/vuln/354246). The vendor site is at https://www.totolink.net/, though no specific patch or mitigation details are outlined in the references.

Details

CWE(s): CWE-74 CWE-77

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Command injection in router's web CGI enables exploitation of public-facing application (T1190) and facilitates arbitrary command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_vlanPriLan3_cmd_inject
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/779147
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354246
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/354246/cti
Permissions Required, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com