CVE-2026-4497

HIGH

Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection

Title source: cna

Description

A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

References (6)

[Vdb Entry, Technical Description] https://vuldb.com/?id.352046

[Signature, Permissions Required] https://vuldb.com/?ctiid.352046

[Third Party Advisory] https://vuldb.com/?submit.773875

[Issue Tracking] https://github.com/hellonestor/killallbug/issues/1

[Patch] https://github.com/user-attachments/files/25790616/Unauthenticated.Remote.Code.Execution.in.TOTOLINK.WA300.via.Command.Injection.in.recvUpgradeNewFw.zip

[Product] https://www.totolink.net/

Scores

CVSS v3 7.3

EPSS 0.0064

EPSS Percentile 70.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-77 CWE-78

Status published

Products (2)

Totolink/WA300 5.2cu.7112_B20190227

totolink/wa300_firmware 5.2cu.7112_b20190227

Published Mar 20, 2026

Tracked Since Mar 21, 2026