Publicly Exploitable Command Injection Flaws Disclosed in Totolink A3300R Router
Two high-severity command injection vulnerabilities have been disclosed in the Totolink A3300R router, both affecting firmware version 17.0.0cu.557_b20221024 and exposing the device to remote code execution through /cgi-bin/cstecgi.cgi. The flaws are tracked as CVE-2026-5104 and CVE-2026-5101. CVE-2026-5104 affects the setStaticRoute function, where manipulation of the ip argument can trigger command injection, while CVE-2026-5101 affects the setLanCfg function in the Parameter Handler component through the lanIp argument.
Public exploit material has been disclosed for both issues, according to VulDB and referenced advisory material, raising the risk of active abuse against exposed devices. NVD subsequently added initial analysis for the CVEs, assigning higher CVSS v3.1 severity assessments than the original CNA submissions and mapping the weaknesses to CWE-77, CWE-74, and CWE-78. The disclosures indicate that attackers could remotely inject operating system commands via crafted requests, making patching, exposure reduction, and monitoring of internet-facing Totolink A3300R systems urgent priorities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-31181 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a remotely exploitable command injection vulnerability in /cgi-bin/cstecgi.cgi on Totolink A3300R firmware v17.0.0cu.557_B20221024. The flaw involves the stunServerAddr parameter, and the record was updated the same day with critical CVSS v3.1 scoring, CWE-78 classification, and a GitHub reference documenting the issue.
CVE-2026-31178 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a remotely exploitable command injection vulnerability in /cgi-bin/cstecgi.cgi on Totolink A3300R firmware v17.0.0cu.557_B20221024. The flaw involves the stunMaxAlive parameter, and the record was updated the same day with critical CVSS v3.1 scoring, CWE-78 classification, and a GitHub reference containing technical details.
CVE-2026-31177 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a remotely exploitable command injection vulnerability in /cgi-bin/cstecgi.cgi on Totolink A3300R firmware v17.0.0cu.557_B20221024. The flaw involves the stunMinAlive parameter, and the record was updated the same day with critical CVSS v3.1 scoring, CWE-78 classification, and a GitHub reference containing technical details.
CVE-2026-31175 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a remotely exploitable command injection vulnerability in /cgi-bin/cstecgi.cgi on Totolink A3300R firmware v17.0.0cu.557_B20221024. The flaw involves the stunEnable parameter, and the record was updated the same day with a critical CVSS v3.1 vector, CWE-77 classification, and a GitHub reference for vulnerability details and proof-of-concept information.
CVE-2026-5103 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a remotely exploitable command injection vulnerability in the setUPnPCfg function of /cgi-bin/cstecgi.cgi on Totolink A3300R firmware 17.0.0cu.557_b20221024. The flaw involves manipulation of the enable argument, and the reference notes public exploit information was available and later NVD analysis increased the severity rating.
CVE-2026-5105 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a command injection vulnerability in the setVpnPassCfg function of /cgi-bin/cstecgi.cgi on Totolink A3300R firmware 17.0.0cu.557_b20221024. The flaw involves the pptpPassThru argument, is exploitable remotely, and public exploit material was referenced by VulDB and GitHub.
CVE-2026-5102 disclosed for Totolink A3300R command injection flaw
A CVE record was published for a remotely exploitable command injection vulnerability in the setSmartQosCfg function of /cgi-bin/cstecgi.cgi on Totolink A3300R firmware 17.0.0cu.557_b20221024. The flaw involves the qos_up_bw argument, and the reference notes public exploit information was available the same day.
NVD publishes initial analysis for Totolink A3300R CVEs
NVD added its initial analysis for the Totolink A3300R command injection vulnerabilities, including CVE-2026-5101 and CVE-2026-5104, on March 30, 2026. The enrichment included higher CVSS v3.1 scoring and additional weakness or affected-product mappings.
Public exploit disclosed for CVE-2026-5101 and CVE-2026-5104
Public exploit material and advisory information for two Totolink A3300R command injection flaws were disclosed via sources referenced by VulDB and GitHub. The disclosures covered the setLanCfg and setStaticRoute functions in /cgi-bin/cstecgi.cgi and indicated the issues may be used in attacks.
CVE-2026-5101 received for Totolink A3300R command injection flaw
A CVE record was created for a command injection vulnerability in the setLanCfg function of /cgi-bin/cstecgi.cgi on Totolink A3300R firmware 17.0.0cu.557_b20221024. The flaw involves manipulation of the lanIp argument and can be exploited remotely.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
CVE-2026-31181 - Totolink A3300R Command Injection Vulnerability
cvefeed.io
Open sourceCVE-2026-31175 - ToToLink A3300R Command Injection Vulnerability
cvefeed.io
Open sourceCVE-2026-31178 - ToToLink A3300R Command Injection Vulnerability
cvefeed.io
Open sourceCVE-2026-31177 - ToToLink A3300R Command Injection Vulnerability
cvefeed.io
Open sourceCVE-2026-5103 - Totolink A3300R cstecgi.cgi setUPnPCfg command injection
cvefeed.io
Open sourceCVE-2026-5105 - Totolink A3300R Parameter cstecgi.cgi setVpnPassCfg command injection
cvefeed.io
Open sourceCVE-2026-5102 - Totolink A3300R Parameter cstecgi.cgi setSmartQosCfg command injection
cvefeed.io
Open sourceCVE-2026-5104 - Totolink A3300R cstecgi.cgi setStaticRoute command injection
cvefeed.io
Open sourceCVE-2026-5101 - Totolink A3300R Parameter cstecgi.cgi setLanCfg command injection
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU Router
Two critical vulnerabilities, **CVE-2026-5851** and **CVE-2026-5976**, were disclosed in the **Totolink A7100RU** router running firmware `7.4cu.2313_b20191024`, exposing the device to remote **OS command injection** without authentication or user interaction. Both flaws affect `/cgi-bin/cstecgi.cgi` in the router's CGI handler: CVE-2026-5851 is tied to the `setUPnPCfg` function through the `enable` argument, while CVE-2026-5976 affects the `setStorageCfg` function through the `sambaEnabled` argument. The vulnerabilities were classified under **CWE-78** and **CWE-77** and were assigned high to critical severity across CVSS versions, reflecting potential compromise of confidentiality, integrity, and availability. Public exploit information has reportedly been released, including references to **VulDB** and a **GitHub** disclosure repository, increasing the likelihood of exploitation against exposed devices that have not been updated or otherwise mitigated.
Apr 13, 2026
Critical Command Injection Flaws Expose Totolink A7100RU and A8000RU Routers
Two Totolink router models, **A7100RU** and **A8000RU**, were disclosed with critical OS command injection vulnerabilities in the CGI handler endpoint `/cgi-bin/cstecgi.cgi`. The flaws affect the `setVpnPassCfg` function and stem from improper handling of the `pptpPassThru` argument, allowing attackers to inject operating system commands remotely. The issues were assigned **CVE-2026-5850** for the A7100RU running firmware `7.4cu.2313_b20191024` and **CVE-2026-7037** for the A8000RU running firmware `7.1cu.643_b20200521`. Both vulnerabilities are classified under **CWE-78** and **CWE-77**, and were reported as remotely exploitable without privileges or user interaction. The disclosures indicate that **public exploits are available**, materially raising the risk of opportunistic compromise of exposed devices. Severity scoring across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** places the flaws at critical or maximum-impact levels, making internet-facing Totolink routers running the affected firmware high-priority targets for remediation or isolation.
Apr 26, 2026
Critical Command Injection Flaws Expose Totolink A8000RU Routers to Remote RCE
Three critical vulnerabilities, **CVE-2026-7121**, **CVE-2026-7122**, and **CVE-2026-7125**, were disclosed in the **Totolink A8000RU** router running firmware `7.1cu.643_b20200521`, all affecting the `/cgi-bin/cstecgi.cgi` CGI handler. The flaws are OS command injection issues in the `setWizardCfg`, `setUPnPCfg`, and `setWiFiEasyCfg` functions, where crafted input to the `wizard`, `enable`, and `merge` arguments can trigger command execution on the device. The vulnerabilities are mapped to **CWE-78** and **CWE-77** and were rated critical across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** scoring schemes. All three issues are remotely exploitable over the network and require **no privileges** and **no user interaction**, creating a high-risk exposure for internet-accessible devices. Public exploit information has already been disclosed, with references including VulDB entries and a GitHub proof-of-concept, increasing the likelihood of near-term exploitation. The disclosures indicate that multiple administrative configuration paths in the router's web interface can be abused for remote code execution, making unpatched A8000RU systems a priority for immediate review and remediation.
Apr 28, 2026