PT-2026-29188 · Totolink · Totolink A3300R

Lvhw

·

Published

2026-03-31

·

Updated

2026-03-31

·

CVE-2026-5178

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Totolink A3300R version 17.0.0cu.557 b20221024
Description A security issue exists in Totolink A3300R 17.0.0cu.557 b20221024. The setIptvCfg function within the /cgi-bin/cstecgi.cgi file is susceptible to command injection through manipulation of the vlanPriLan3 argument. Remote exploitation is possible. The exploit has been publicly disclosed.
Recommendations Apply a software update that addresses the vulnerability in the setIptvCfg function. As a temporary workaround, restrict access to the /cgi-bin/cstecgi.cgi file. Avoid using the vlanPriLan3 parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Command Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5178

Affected Products

Totolink A3300R