CVE-2026-5104
Published: 30 March 2026
Summary
CVE-2026-5104 is a medium-severity Injection (CWE-74) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation of the untrusted 'ip' argument in the setStaticRoute CGI function.
Addresses the root cause flaw through timely firmware remediation to fix improper neutralization of special elements in the affected CGI script.
Limits damage from exploited command injection by enforcing least privilege on low-privileged authenticated users accessing the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in a public-facing router web CGI script (T1190: Exploit Public-Facing Application), enabling arbitrary Unix shell command execution (T1059.004: Unix Shell).
NVD Description
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been…
more
disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-5104 is a command injection vulnerability in the Totolink A3300R router running firmware version 17.0.0cu.557_b20221024. The flaw resides in the setStaticRoute function within the /cgi-bin/cstecgi.cgi script, where insufficient validation of the 'ip' argument allows attackers to inject arbitrary commands. This issue is classified under CWE-74 (improper neutralization of special elements) and CWE-77 (command injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables limited impacts, including low-level disclosure of confidential information, modification of data or settings, and denial of service through partial availability disruption.
Advisories note that the exploit has been publicly disclosed, with proof-of-concept code available on GitHub at https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_ip_cmd_inject. Additional details are documented on VulDB (https://vuldb.com/vuln/354129 and related pages), and the vendor's site is at https://www.totolink.net/, though no specific patch information is detailed in the provided references. Security practitioners should monitor for firmware updates and restrict access to the affected CGI endpoint.
Details
- CWE(s)