CVE-2026-5178
Published: 31 March 2026
Summary
CVE-2026-5178 is a medium-severity Injection (CWE-74) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the specific command injection flaw in the Totolink A3300R firmware's setIptvCfg function.
Mandates validation of untrusted inputs like the vlanPriLan3 argument to block command injection in /cgi-bin/cstecgi.cgi.
Enables automated scanning and monitoring to identify systems affected by CVE-2026-5178 in the vulnerable firmware version.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router's web CGI enables exploitation of public-facing application (T1190) and facilitates arbitrary command execution on network device (T1059.008).
NVD Description
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The…
more
exploit has been disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-5178 is a command injection vulnerability (CWE-74, CWE-77) in the Totolink A3300R router, specifically firmware version 17.0.0cu.557_b20221024. The flaw resides in the setIptvCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the vlanPriLan3 argument enables command injection.
The vulnerability allows remote exploitation over the network with low attack complexity and requires low privileges (PR:L) but no user interaction. Per its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), an attacker with authenticated low-privilege access can achieve low-level impacts on confidentiality, integrity, and availability through injected commands.
Advisories note that the exploit has been publicly disclosed and is available as a proof-of-concept on GitHub (https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_vlanPriLan3_cmd_inject), with further details on VulDB (https://vuldb.com/vuln/354246). The vendor site is at https://www.totolink.net/, though no specific patch or mitigation details are outlined in the references.
Details
- CWE(s)