Platform
other
Component
vul_db
Fixed in
17.0.1
A command injection vulnerability has been identified in the Totolink A3300R firmware, specifically within the Parameter Handler component's setSmartQosCfg function. This flaw allows attackers to inject arbitrary commands by manipulating the qosupbw argument in the /cgi-bin/cstecgi.cgi file. The vulnerability impacts firmware version 17.0.0cu.557_b20221024 and can be exploited remotely. A public exploit is available, increasing the risk of immediate exploitation.
Successful exploitation of CVE-2026-5102 allows an attacker to execute arbitrary commands on the affected Totolink A3300R router with the privileges of the web server process. This could lead to complete system compromise, including data exfiltration, malware installation, and denial-of-service. The remote nature of the vulnerability and the availability of a public exploit significantly increase the potential for widespread attacks targeting vulnerable routers. Given the router's role in network connectivity, a successful attack could provide a foothold for lateral movement within the internal network, potentially impacting other connected devices and systems. The blast radius extends to any sensitive data passing through the compromised router.
CVE-2026-5102 is considered a high-risk vulnerability due to the public availability of an exploit. While an EPSS score is not yet available, the public exploit suggests a high probability of exploitation. The vulnerability was publicly disclosed on March 30, 2026. Monitor security advisories and threat intelligence feeds for updates on active exploitation campaigns targeting Totolink A3300R routers.
Exploit Status
EPSS
2.16% (84% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5102 is to upgrade the Totolink A3300R firmware to a patched version. Totolink has not yet released a patch, so temporary workarounds are necessary. Consider implementing strict input validation on the qosupbw parameter within the /cgi-bin/cstecgi.cgi file, although this may impact legitimate functionality. Web application firewalls (WAFs) can be configured to detect and block malicious requests attempting to inject commands. Monitor router logs for suspicious activity, particularly requests to /cgi-bin/cstecgi.cgi with unusual parameters. After applying any mitigations or upgrading the firmware, confirm the vulnerability is resolved by attempting to trigger the command injection with a benign payload and verifying that it is properly sanitized.
Update the Totolink A3300R router firmware to a version later than 17.0.0cu.557_b20221024 to mitigate the command injection vulnerability. Refer to the vendor's website for the latest firmware version and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5102 is a command injection vulnerability affecting the Totolink A3300R router's firmware, allowing attackers to execute commands remotely by manipulating the qosupbw parameter. It has a medium severity rating (CVSS 6.3).
You are affected if you are using Totolink A3300R firmware version 17.0.0cu.557_b20221024 and have not upgraded to a patched version. Check your router's firmware version and apply updates as soon as they become available.
The recommended fix is to upgrade to a patched firmware version from Totolink. Until a patch is available, implement temporary workarounds like input validation and WAF rules.
Yes, a public exploit is available, indicating a high probability of active exploitation. Monitor your router logs and network traffic for suspicious activity.
Refer to the Totolink website and security advisories for updates and official information regarding CVE-2026-5102 and available firmware patches.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.