Cyber Resilience

CVE-2026-5105

MediumPublic PoC

Published: 30 March 2026

Published
30 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0367 88.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5105 is a medium-severity Injection (CWE-74) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-5105 is a command injection vulnerability affecting the Totolink A3300R router in version 17.0.0cu.557_b20221024. The flaw exists in the setVpnPassCfg function of the /cgi-bin/cstecgi.cgi file within the Parameter Handler component, where manipulation of the pptpPassThru argument enables command injection. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability allows remote exploitation by attackers possessing low privileges, such as authenticated users, with no need for user interaction. Successful attacks can result in limited impacts to confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the targeted device.

Advisories and references, including VulDB entries at https://vuldb.com/vuln/354130 and https://vuldb.com/submit/779143, detail the issue, while a public proof-of-concept exploit is available on GitHub at https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_pptpPassThru_cmd_inject. The vendor's site at https://www.totolink.net/ should be consulted for any patches or mitigation guidance.

The exploit is now public and may be used, heightening the risk for unpatched Totolink A3300R devices exposed to the internet.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate…

more

the attack remotely. The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

The vulnerability is a command injection in a public-facing web CGI interface on a router, directly enabling exploitation of public-facing applications (T1190) and execution of commands via the network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5176Same product: Totolink A3300R
CVE-2026-5178Same product: Totolink A3300R
CVE-2025-52046Same product: Totolink A3300R
CVE-2026-5104Same product: Totolink A3300R
CVE-2026-5103Same product: Totolink A3300R
CVE-2026-5177Same product: Totolink A3300R
CVE-2026-5102Same product: Totolink A3300R
CVE-2026-5101Same product: Totolink A3300R
CVE-2026-31181Same product: Totolink A3300R
CVE-2026-31178Same product: Totolink A3300R

Affected Assets

totolink
a3300r firmware
17.0.0cu.557_b20221024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing the pptpPassThru argument in the vulnerable setVpnPassCfg function of /cgi-bin/cstecgi.cgi.

prevent

Mitigates the vulnerability through timely identification, reporting, and patching of the command injection flaw in Totolink A3300R firmware version 17.0.0cu.557_b20221024.

detectrespond

Detects CVE-2026-5105 via vulnerability scanning of the affected router and initiates remediation to apply patches or mitigations.

References