Cyber Resilience

CVE-2026-5178

MediumPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0366 88.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5178 is a medium-severity Injection (CWE-74) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A security vulnerability exists in the Totolink A3300R router running firmware 17.0.0cu.557_b20221024. The issue is a command injection flaw in the setIptvCfg function within /cgi-bin/cstecgi.cgi, triggered by manipulation of the vlanPriLan3 argument. It is tracked under CWE-74 and CWE-77, carries a CVSS 4.0 score of 5.3, and permits remote exploitation.

An authenticated attacker with low privileges can send a crafted HTTP request to the CGI endpoint and execute arbitrary commands on the device. Successful exploitation yields limited control over confidentiality, integrity, and availability of the affected router, with no impact on surrounding systems.

Public exploit code has been disclosed via a GitHub repository, and the EPSS score rose from a baseline of 0.0060 to a peak of 0.0121, indicating increased exploitation interest after disclosure. No vendor advisory or patch information is provided in the available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The…

more

exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Command injection in router's web CGI enables exploitation of public-facing application (T1190) and facilitates arbitrary command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5176Same product: Totolink A3300R
CVE-2026-5105Same product: Totolink A3300R
CVE-2025-52046Same product: Totolink A3300R
CVE-2026-5104Same product: Totolink A3300R
CVE-2026-5103Same product: Totolink A3300R
CVE-2026-5177Same product: Totolink A3300R
CVE-2026-5102Same product: Totolink A3300R
CVE-2026-5101Same product: Totolink A3300R
CVE-2026-31181Same product: Totolink A3300R
CVE-2026-31178Same product: Totolink A3300R

Affected Assets

totolink
a3300r firmware
17.0.0cu.557_b20221024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the specific command injection flaw in the Totolink A3300R firmware's setIptvCfg function.

prevent

Mandates validation of untrusted inputs like the vlanPriLan3 argument to block command injection in /cgi-bin/cstecgi.cgi.

detect

Enables automated scanning and monitoring to identify systems affected by CVE-2026-5178 in the vulnerable firmware version.

References