CVE-2026-5105
Published: 30 March 2026
Summary
CVE-2026-5105 is a medium-severity Injection (CWE-74) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating and sanitizing the pptpPassThru argument in the vulnerable setVpnPassCfg function of /cgi-bin/cstecgi.cgi.
Mitigates the vulnerability through timely identification, reporting, and patching of the command injection flaw in Totolink A3300R firmware version 17.0.0cu.557_b20221024.
Detects CVE-2026-5105 via vulnerability scanning of the affected router and initiates remediation to apply patches or mitigations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a command injection in a public-facing web CGI interface on a router, directly enabling exploitation of public-facing applications (T1190) and execution of commands via the network device CLI (T1059.008).
NVD Description
A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate…
more
the attack remotely. The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-5105 is a command injection vulnerability affecting the Totolink A3300R router in version 17.0.0cu.557_b20221024. The flaw exists in the setVpnPassCfg function of the /cgi-bin/cstecgi.cgi file within the Parameter Handler component, where manipulation of the pptpPassThru argument enables command injection. It is associated with CWEs-74 and CWE-77 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability allows remote exploitation by attackers possessing low privileges, such as authenticated users, with no need for user interaction. Successful attacks can result in limited impacts to confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the targeted device.
Advisories and references, including VulDB entries at https://vuldb.com/vuln/354130 and https://vuldb.com/submit/779143, detail the issue, while a public proof-of-concept exploit is available on GitHub at https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_pptpPassThru_cmd_inject. The vendor's site at https://www.totolink.net/ should be consulted for any patches or mitigation guidance.
The exploit is now public and may be used, heightening the risk for unpatched Totolink A3300R devices exposed to the internet.
Details
- CWE(s)