Totolink A3300R Firmware vulnerabilities

CVE-2026-5178 [MEDIUM] CWE-74 CVE-2026-5178: A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by th A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

CVE-2026-5176 [MEDIUM] CWE-74 CVE-2026-5176: A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the funct A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

CVE-2026-5177 [MEDIUM] CWE-74 CVE-2026-5177: A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerabi A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used

CVE-2026-5103 [MEDIUM] CWE-74 CVE-2026-5103: A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the fun A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

CVE-2026-5102 [MEDIUM] CWE-74 CVE-2026-5102: A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability af A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument qos_up_bw results in command injection. The attack can be executed remotely. The exploit has been released to the publ

CVE-2026-5104 [MEDIUM] CWE-74 CVE-2026-5104: A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is th A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

CVE-2026-5105 [MEDIUM] CWE-74 CVE-2026-5105: A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate the attack remotely. The exploit is now public and

CVE-2026-5101 [MEDIUM] CWE-74 CVE-2026-5101: A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.

CVE-2025-55895 [CRITICAL] CWE-284 CVE-2025-55895: TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 TOTOLINK A3300R V17.0.0cu.557_B20221024 and N200RE V9.3.5u.6448_B20240521 and V9.3.5u.6437_B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in (remote).

CVE-2025-55901 [MEDIUM] CWE-77 CVE-2025-55901: TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWi TOTOLINK A3300R V17.0.0cu.596_B20250515 is vulnerable to command injection in the function NTPSyncWithHost via the host_time parameter.

CVE-2025-12258 [HIGH] CWE-119 CVE-2025-12258: A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. Impacted is the function set A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. Impacted is the function setOpModeCfg of the file /cgi-bin/cstecgi.cg of the component POST Parameter Handler. The manipulation of the argument opmode results in stack-based buffer overflow. The attack may be performed from remote.

CVE-2025-12240 [HIGH] CWE-119 CVE-2025-12240: A security vulnerability has been detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This affects t A security vulnerability has been detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This affects the function setDmzCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ip leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

CVE-2025-12239 [HIGH] CWE-119 CVE-2025-12239: A weakness has been identified in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is th A weakness has been identified in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. Executing manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.

CVE-2025-12241 [HIGH] CWE-119 CVE-2025-12241: A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This impacts the function se A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This impacts the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. The manipulation of the argument lang results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.

CVE-2025-12259 [HIGH] CWE-119 CVE-2025-12259: A flaw has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The affected element is the functio A flaw has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. This manipulation of the argument recHour causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and m

CVE-2025-12260 [HIGH] CWE-119 CVE-2025-12260: A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is th A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. Such manipulation of the argument enable leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed

CVE-2025-52046 [CRITICAL] CWE-77 CVE-2025-52046: Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in th Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.

CVE-2024-7331 [HIGH] CWE-120 CVE-2024-7331: A vulnerability was found in TOTOLINK A3300R 17.0.0cu.557_B20221024 and classified as critical. Affe A vulnerability was found in TOTOLINK A3300R 17.0.0cu.557_B20221024 and classified as critical. Affected by this issue is the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument File leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-

CVE-2024-7155 [LOW] CWE-259 CVE-2024-7155: A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024 and classified as problemat A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The expl

CVE-2024-27521 [HIGH] CWE-78 CVE-2024-27521: TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary syst