CVE-2026-5103
MEDIUMTotolink A3300R cstecgi.cgi setUPnPCfg command injection
Title source: cnaDescription
A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
References (5)
Core 5
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-354128 | Totolink A3300R cstecgi.cgi setUPnPCfg command injection
https://vuldb.com/vuln/354128
Signature, Permissions Required signature
permissions-required
VDB-354128 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/354128/cti
Third Party Advisory third-party-advisory
Submit #779140 | Totolink A3300R 17.0.0cu.557_b20221024 Command Injection
https://vuldb.com/submit/779140
Exploit exploit
https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_enable_cmd_inject
Product product
https://www.totolink.net/
Scores
CVSS v3
6.3
EPSS
0.0364
EPSS Percentile
88.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (2)
Totolink/A3300R
17.0.0cu.557_b20221024
totolink/a3300r_firmware
17.0.0cu.557_b20221024
Published
Mar 30, 2026
Tracked Since
Mar 30, 2026