CVE-2026-4497
Published: 20 March 2026
Summary
CVE-2026-4497 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink Wa300 Firmware. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability was identified in the Totolink WA300 device running firmware version 5.2cu.7112_B20190227. The issue resides in the recvUpgradeNewFw function within /cgi-bin/cstecgi.cgi and stems from improper handling of input that permits operating system command injection, corresponding to CWE-77 and CWE-78. The flaw is remotely reachable and carries a CVSS 4.0 score of 6.9 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated remote attacker can supply crafted input to the affected CGI endpoint and execute arbitrary operating system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability of the target system. A proof-of-concept exploit has been made publicly available.
The EPSS score for this CVE rose from a low baseline to a peak of 0.0396 on 2026-03-26 shortly after disclosure before receding to its current value of 0.0069, indicating a temporary increase in observed exploitation interest. No vendor advisory or patch information is referenced in the available sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13770
Vulnerability details
A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and…
more
may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of a public-facing web application (router CGI) for arbitrary OS command execution on a network device CLI.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation of untrusted inputs to the vulnerable recvUpgradeNewFw function in cstecgi.cgi.
Ensures timely identification, reporting, and patching of the specific command injection flaw in Totolink WA300 firmware version 5.2cu.7112_B20190227.
Protects publicly accessible router web interfaces like the vulnerable CGI endpoint from unauthorized remote access and malicious code execution via command injection.