CVE-2026-5020
MEDIUMTotolink A3600R Parameter cstecgi.cgi setNoticeCfg command injection
Title source: cnaDescription
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-353905 | Totolink A3600R Parameter cstecgi.cgi setNoticeCfg command injection
https://vuldb.com/vuln/353905
Signature, Permissions Required signature
permissions-required
VDB-353905 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/353905/cti
Third Party Advisory third-party-advisory
Submit #779536 | TOTOLINK A3600R A3600R V4.1.2cu.5182_B20201102 Command Injection
https://vuldb.com/submit/779536
Exploit exploit
https://lavender-bicycle-a5a.notion.site/TOTOLINK_A3600R_setNoticeCfg-32253a41781f80c197eaf8e7558c5ed1?source=copy_link
Product product
https://www.totolink.net/
Scores
CVSS v3
6.3
EPSS
0.0223
EPSS Percentile
80.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (2)
Totolink/A3600R
4.1.2cu.5182_B20201102
totolink/a3600r_firmware
4.1.2cu.5182_b20201102
Published
Mar 29, 2026
Tracked Since
Mar 29, 2026