CVE-2026-0641
Published: 06 January 2026
Summary
CVE-2026-0641 is a medium-severity Injection (CWE-74) vulnerability in Totolink Wa300 Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and sanitization of the UPLOAD_FILENAME argument in cstecgi.cgi to reject malicious payloads.
Addresses the specific flaw in sub_401510 by mandating identification, testing, and deployment of firmware patches or updates for the TOTOLINK WA300 router.
Limits the impact of arbitrary command execution from injected UPLOAD_FILENAME by enforcing least privilege on router processes and authenticated users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (T1190) via command injection in a CGI script, leading to arbitrary Unix shell command execution (T1059.004) on the router.
NVD Description
A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been…
more
disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-0641 is a command injection vulnerability affecting the TOTOLINK WA300 router on firmware version 5.2cu.7112_B20190227. The issue resides in the sub_401510 function within the cstecgi.cgi file, where manipulation of the UPLOAD_FILENAME argument enables attackers to inject and execute arbitrary commands.
The vulnerability is exploitable remotely over the network with low complexity and no user interaction required, but it necessitates low privileges (PR:L) such as an authenticated user account. Exploitation yields limited impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers can achieve remote code execution via the disclosed proof-of-concept.
Advisories on VulDB (ctiid.339684, id.339684) and a GitHub repository (https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md, including PoC at #poc) detail the vulnerability and exploit, but no specific patches or vendor mitigations are referenced in the available information.
The exploit has been publicly disclosed and may be used, with associated CWEs CWE-74 and CWE-77 highlighting improper neutralization of special elements in commands.
Details
- CWE(s)