{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5679", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-06T09:45:14.836Z", "datePublished": "2026-04-06T19:00:19.633Z", "dateUpdated": "2026-04-07T15:10:20.818Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T19:00:19.633Z"}, "title": "Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "OS Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}], "affected": [{"vendor": "Totolink", "product": "A3300R", "versions": [{"version": "17.0.0cu.557_B20221024", "status": "affected"}], "cpes": ["cpe:2.3:o:totolink:a3300r_firmware:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-06T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-06T11:50:19.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "m202572177 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/355506", "name": "VDB-355506 | Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355506/cti", "name": "VDB-355506 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792650", "name": "Submit #792650 | Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/792798", "name": "Submit #792798 | Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:06:14.842153Z", "id": "CVE-2026-5679", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:10:20.818Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5679", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:06:14.842153Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:06:18.706Z"}}], "cna": {"title": "Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection", "credits": [{"lang": "en", "type": "reporter", "value": "m202572177 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:totolink:a3300r_firmware:*:*:*:*:*:*:*:*"], "vendor": "Totolink", "product": "A3300R", "versions": [{"status": "affected", "version": "17.0.0cu.557_B20221024"}]}], "timeline": [{"lang": "en", "time": "2026-04-06T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-06T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-06T11:50:19.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/355506", "name": "VDB-355506 | Totolink A3300R cstecgi.cgi vsetTr069Cfg os command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/355506/cti", "name": "VDB-355506 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/792650", "name": "Submit #792650 | Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/792798", "name": "Submit #792798 | Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection", "tags": ["exploit"]}, {"url": "https://www.totolink.net/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "OS Command Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "Command Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-06T19:00:19.633Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5679", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:10:20.818Z", "dateReserved": "2026-04-06T09:45:14.836Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-06T19:00:19.633Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-5679", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:28.787", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792650"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/792798"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355506"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/355506/cti"}, {"source": "cna@vuldb.com", "url": "https://www.totolink.net/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "17.0.0cu.557_B20221024"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "A3300R", "source": "cna", "vendor": "Totolink"}, "product": "a3300r", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-22T03:35:39.453117+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware release that patches the command\u2011injection flaw in the vsetTr069Cfg endpoint.", "If a firmware update is not yet available, block or remove external access to the /cgi-bin/cstecgi.cgi script and disable remote STUN configuration management.", "Restrict remote management to trusted internal IP ranges or enforce VPN access only.", "Verify that the STUN password is strong and not set to a known default.", "Continuously monitor device logs for attempts to invoke the stun_pass parameter or to call the vulnerable CGI script."], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Totolink A3300R router running firmware version 17.0.0cu.557_B20221024. The issue resides in the /cgi-bin/cstecgi.cgi endpoint and is specific to that product line.", "description_and_impact": "A function in the router\u2019s firmware, vsetTr069Cfg, processes a parameter named stun_pass. By altering this argument an attacker can insert arbitrary operating\u2011system commands, leading to remote code execution on the device. Successful exploitation permits full control over the router, threatening the confidentiality, integrity, and availability of the device and any networks it serves.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. The flaw exists in a web-accessible CGI script, but the description does not state whether the interface is publicly exposed. Based on the description, it is inferred that if /cgi-bin/cstecgi.cgi can be reached from outside the local network, an attacker could leverage the command injection without additional credentials. The EPSS score is less than 1% and the flaw is not listed in the CISA KEV catalog, suggesting limited widespread exploitation to date. Nevertheless, the potential impact remains significant if the script is externally accessible, allowing an attacker to execute arbitrary OS commands on the device."}}}}, "created": "2026-04-07T06:54:35.554655+00:00", "updated": "2026-04-22T03:45:06.973121+00:00", "vendors": ["totolink", "totolink$PRODUCT$a3300r"]}