Cyber Resilience

CVE-2026-4497

MediumPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0191 77.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-4497 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Wa300 Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability was identified in the Totolink WA300 device running firmware version 5.2cu.7112_B20190227. The issue resides in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi and stems from improper handling of input that permits operating system command injection, corresponding to CWE-77 and CWE-78. The flaw is remotely reachable and carries a CVSS 4.0 score of 6.9 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated remote attacker can supply crafted input to the affected CGI endpoint and execute arbitrary operating system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the target system. A proof-of-concept exploit has been made publicly available.

The EPSS score for this CVE rose from a low baseline to a peak of 0.0396 on 2026-03-26 shortly after disclosure before receding to its current value of 0.0069, indicating a temporary increase in observed exploitation interest. No vendor advisory or patch information is referenced in the available sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and…

more

may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web application (router CGI) for arbitrary OS command execution on a network device CLI.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2167Same product: Totolink Wa300
CVE-2026-0641Same product: Totolink Wa300
CVE-2026-3696Same vendor: Totolink
CVE-2025-2095Same vendor: Totolink
CVE-2025-51390Same vendor: Totolink
CVE-2025-52046Same vendor: Totolink
CVE-2025-11005Same vendor: Totolink
CVE-2025-52906Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink
CVE-2024-57211Same vendor: Totolink

Affected Assets

totolink
wa300 firmware
5.2cu.7112_b20190227

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation of untrusted inputs to the vulnerable recvUpgradeNewFw function in cstecgi.cgi.

prevent

Ensures timely identification, reporting, and patching of the specific command injection flaw in Totolink WA300 firmware version 5.2cu.7112_B20190227.

prevent

Protects publicly accessible router web interfaces like the vulnerable CGI endpoint from unauthorized remote access and malicious code execution via command injection.

References