CVE-2026-5178
Published: 31 March 2026
Summary
CVE-2026-5178 is a medium-severity Injection (CWE-74) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A security vulnerability exists in the Totolink A3300R router running firmware 17.0.0cu.557_b20221024. The issue is a command injection flaw in the setIptvCfg function within /cgi-bin/cstecgi.cgi, triggered by manipulation of the vlanPriLan3 argument. It is tracked under CWE-74 and CWE-77, carries a CVSS 4.0 score of 5.3, and permits remote exploitation.
An authenticated attacker with low privileges can send a crafted HTTP request to the CGI endpoint and execute arbitrary commands on the device. Successful exploitation yields limited control over confidentiality, integrity, and availability of the affected router, with no impact on surrounding systems.
Public exploit code has been disclosed via a GitHub repository, and the EPSS score rose from a baseline of 0.0060 to a peak of 0.0121, indicating increased exploitation interest after disclosure. No vendor advisory or patch information is provided in the available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17309
Vulnerability details
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The…
more
exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router's web CGI enables exploitation of public-facing application (T1190) and facilitates arbitrary command execution on network device (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the specific command injection flaw in the Totolink A3300R firmware's setIptvCfg function.
Mandates validation of untrusted inputs like the vlanPriLan3 argument to block command injection in /cgi-bin/cstecgi.cgi.
Enables automated scanning and monitoring to identify systems affected by CVE-2026-5178 in the vulnerable firmware version.