Totolink Totolink

  1. Vendors
  2. Totolink

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Totolink product.

RSS Feeds for Totolink security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Totolink products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Totolink Sorted by Most Security Vulnerabilities since 2018

Totolink X5000r Firmware41 vulnerabilities

Totolink A3300r Firmware38 vulnerabilities

Totolink X6000r Firmware36 vulnerabilities

Totolink A3700r Firmware31 vulnerabilities

Totolink A7100ru Firmware31 vulnerabilities

Totolink X2000r Firmware30 vulnerabilities

Totolink X15 Firmware25 vulnerabilities

Totolink Lr350 Firmware25 vulnerabilities

Totolink Ca300 Poe Firmware24 vulnerabilities

Totolink A3002r Firmware23 vulnerabilities

Totolink Ex1200t Firmware22 vulnerabilities

Totolink T8 Firmware22 vulnerabilities

Totolink A3600r Firmware20 vulnerabilities

Totolink Cp450 Firmware19 vulnerabilities

Totolink Ex200 Firmware18 vulnerabilities

Totolink N150rt Firmware15 vulnerabilities

Totolink Ex1800t Firmware15 vulnerabilities

Totolink T6 Firmware14 vulnerabilities

Totolink A6000r Firmware13 vulnerabilities

Totolink X18 Firmware11 vulnerabilities

Totolink T10 Firmware11 vulnerabilities

Totolink Nr1800x Firmware11 vulnerabilities

Totolink A810r Firmware10 vulnerabilities

Totolink A3100r Firmware10 vulnerabilities

Totolink A3002ru Firmware10 vulnerabilities

Totolink Ca600 Poe Firmware10 vulnerabilities

Totolink A702r Firmware10 vulnerabilities

Totolink A7000r Firmware8 vulnerabilities

Totolink Cp900l Firmware8 vulnerabilities

Totolink Cp900 Firmware7 vulnerabilities

Totolink N300rh Firmware7 vulnerabilities

Totolink Ex1200l Firmware6 vulnerabilities

Totolink A800r Firmware6 vulnerabilities

Totolink A720r Firmware6 vulnerabilities

Totolink N300rt Firmware6 vulnerabilities

Totolink N600r Firmware5 vulnerabilities

Totolink N350rt Firmware4 vulnerabilities

Totolink Wa300 Firmware3 vulnerabilities

Totolink A3000ru Firmware3 vulnerabilities

Totolink A830r Firmware3 vulnerabilities

Totolink A950rg Firmware3 vulnerabilities

Totolink Cp300 Firmware3 vulnerabilities

Totolink A3200r Firmware3 vulnerabilities

Totolink N200re V5 Firmware2 vulnerabilities

Totolink A8000ru Firmware2 vulnerabilities

Totolink X182 vulnerabilities

Totolink Lr1200 Firmware2 vulnerabilities

Totolink Lr1200gb Firmware2 vulnerabilities

Totolink N302r Plus Firmware2 vulnerabilities

Totolink N100re Firmware1 vulnerability

Totolink N302re Firmware1 vulnerability

Totolink Ar810r Firmware1 vulnerability

Totolink N302r Firmware1 vulnerability

Totolink A860r Firmware1 vulnerability

Totolink N301rt Firmware1 vulnerability

Totolink N200re Firmware1 vulnerability

Totolink A3002ru V3 Firmware1 vulnerability

Totolink N300rb Firmware1 vulnerability

Totolink A6000ub Firmware1 vulnerability

By the Year

In 2026 there have been 43 vulnerabilities in Totolink with an average score of 7.1 out of ten. Last year, in 2025 Totolink had 253 security vulnerabilities published. Right now, Totolink is on track to have less security vulnerabilities in 2026 than it did last year. Last year, the average CVE base score was greater by 0.97




Year Vulnerabilities Average Score
2026 43 7.10
2025 253 8.07
2024 219 9.09
2023 105 9.65
2022 18 9.30
2021 0 0.00
2020 1 0.00

It may take a day or so for new Totolink vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Totolink Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-5692 Apr 06, 2026
Totolink A7100RU 7.4cu OS Command Injection via setGameSpeedCfg A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used.
A7100ru Firmware
CVE-2026-5691 Apr 06, 2026
Totolink A7100RU 7.4cu.2313 OS Command Injection via setFirewallType A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setFirewallType of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
A7100ru Firmware
CVE-2026-5690 Apr 06, 2026
Totolink A7100RU 7.4cu OS Command Injection via setRemoteCfg A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used.
A7100ru Firmware
CVE-2026-5689 Apr 06, 2026
Totolink A7100RU OS Command Injection via setNtpCfg (v7.4cu) A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setNtpCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument tz results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
A7100ru Firmware
CVE-2026-5688 Apr 06, 2026
Totolink A7100RU 7.4cu os cmd injection via setDdnsCfg CGI A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument provider leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
A7100ru Firmware
CVE-2026-5679 Apr 06, 2026
OSCmdInj via stun_pass in Totolink A3300R v1.70.0cu.557_B20221024 vsetTr069Cfg A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_B20221024. The impacted element is the function vsetTr069Cfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument stun_pass leads to os command injection. The exploit has been disclosed publicly and may be used.
A3300r Firmware
CVE-2026-5678 Apr 06, 2026
Totolink A7100RU 7.4cu Command Injection in cstecgi.cgi setScheduleCfg A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument mode can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
A7100ru Firmware
CVE-2026-5677 Apr 06, 2026
Totolink A7100RU 7.4cu Remote OS Command Injection via cstecgi.cgi A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument resetFlags results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
A7100ru Firmware
CVE-2026-5676 Apr 06, 2026
Totolink A8000R 5.9c.681 Remote Auth Bypass via setLanguageCfg A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and might be used.
CVE-2026-5178 Mar 31, 2026
Totolink A3300R 17.0.0cu.557_b20221024: setIptvCfg Command Injection A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
A3300r Firmware
CVE-2026-5177 Mar 31, 2026
Command Injection via setWiFiBasicCfg in Totolink A3300R 17.0.0cu.557_b20221024 A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
A3300r Firmware
CVE-2026-5176 Mar 31, 2026
Totolink A3300R 17.0.0cu.557_cgi cmd injection in setSyslogCfg A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
A3300r Firmware
CVE-2026-5105 Mar 30, 2026
Totolink A3300R 17.0.0cu.557 cmd injection via setVpnPassCfg(pptpPassThru) A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
A3300r Firmware
CVE-2026-5104 Mar 30, 2026
Totolink A3300R 17.0.0cu.557_b20221024: setStaticRoute Remote Command Injection A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Impacted is the function setStaticRoute of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ip leads to command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
A3300r Firmware
CVE-2026-5103 Mar 30, 2026
Totolink A3300R 17.0.0cu.557 Remote Command Injection via setUPnPCfg A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. This issue affects the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument enable causes command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
A3300r Firmware
CVE-2026-5102 Mar 30, 2026
Command injection in Totolink A3300R 17.0.0cu via setSmartQosCfg (qos_up_bw) A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. This vulnerability affects the function setSmartQosCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument qos_up_bw results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
A3300r Firmware
CVE-2026-5101 Mar 29, 2026
CVE-2026-5101: Totolink A3300R <17.0.0cu.557_b20221024 cmd injection setLanCfg A vulnerability was identified in Totolink A3300R 17.0.0cu.557_b20221024. This affects the function setLanCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument lanIp leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
A3300r Firmware
CVE-2026-5030 Mar 29, 2026
Totolink NR1800X <9.1.0u.6279 Telnet NTPSync Hostcmd Injection A vulnerability has been found in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument host_time leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Nr1800x Firmware
CVE-2026-5020 Mar 29, 2026
CVE-2026-5020: Totolink A3600R 4.1.2cu.5182_B20201102 Command Injection via setNoticeCfg A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
A3600r Firmware
CVE-2026-4976 Mar 27, 2026
Totolink LR350 9.3.5u Remote WiFi Guest Config Buffer Overflow A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.
Lr350 Firmware
CVE-2026-4611 Mar 23, 2026
Remote OS Command Injection via Hostname in setLanCfg (Totolink X6000R 9.4) A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.
X6000r Firmware
CVE-2026-4497 Mar 20, 2026
OSCmd Injection in Totolink WA300 5.2cu.7112_B20190227 recvUpgradeNewFw A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. Affected by this issue is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Wa300 Firmware
CVE-2026-3696 Mar 08, 2026
TOTOLINK N300RH CGI Handler WPS Command Injection A vulnerability was found in Totolink N300RH 6..1c.1353_B20190305. The affected element is the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used.
N300rh Firmware
CVE-2026-3301 Feb 27, 2026
OS Command Injection in Totolink N300RH 6.1c.1353 Web Management Interface A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument webWlanIdx results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
N300rh Firmware
CVE-2026-2167 Feb 08, 2026
Totolink WA300 Remote OS Command Injection via setAPNetwork (5.2cu.7112) A vulnerability was detected in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setAPNetwork of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Ipaddr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used.
Wa300 Firmware
CVE-2026-1723 Jan 30, 2026
TOTOLINK X6000R Pre-9.4.0cu.1498 OS Command Injection Vulnerability Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1498_B20250826.
X6000r Firmware
CVE-2026-1686 Jan 30, 2026
Totolink A3600R 5.9c.4959 Buffer Overflow in setAppEasyWizardConfig A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
A3600r Firmware
CVE-2026-1623 Jan 29, 2026
Cmd Injection via FileName in Totolink A7000R 4.1cu.4154 setUpgradeFW A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
A7000r Firmware
CVE-2026-1601 Jan 29, 2026
Totolink A7000R 4.1cu.4154 Cmd Inj via cstecgi.cgi A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
A7000r Firmware
CVE-2026-1548 Jan 28, 2026
Cmd Injection in Totolink A7000R 4.1cu.4154 /cgi-bin/cstecgi.cgi A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit has been published and may be used.
A7000r Firmware
CVE-2026-1547 Jan 28, 2026
Command Injection in Totolink A7000R 4.1cu.4154's setUnloadUserData CGI A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
A7000r Firmware
CVE-2026-1328 Jan 22, 2026
Totolink NR1800X 9.1.0u.6279 Remote Buffer Overflow via setWizardCfg ssid A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.
Nr1800x Firmware
CVE-2026-1327 Jan 22, 2026
Totolink NR1800X 9.1.0u Command Injection via POST Handler A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Nr1800x Firmware
CVE-2026-1326 Jan 22, 2026
Command Injection in Totolink NR1800X 9.1.0u via POST Hostname A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Nr1800x Firmware
CVE-2026-1158 Jan 19, 2026
Totolink LR350 9.3.5u Buffer Overflow via POST ssid in cstecgi.cgi A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
Lr350 Firmware
CVE-2026-1157 Jan 19, 2026
Totolink LR350 9.3.5u.6369 Remote Buffer Overflow in setWiFiEasyCfg A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Lr350 Firmware
CVE-2026-1156 Jan 19, 2026
Totolink LR350 9.3.5u.6369_B20220309 Buffer Overflow via setWiFiBasicCfg A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Lr350 Firmware
CVE-2026-1155 Jan 19, 2026
Totolink LR350 9.3.5u.6369 Buffer Overflow in setWiFiEasyGuestCfg (Remote) A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
Lr350 Firmware
CVE-2026-1150 Jan 19, 2026
Totolink LR350 9.3.5u Command Injection via POST setTracerouteCfg (Remote) A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
Lr350 Firmware
CVE-2026-1149 Jan 19, 2026
Totolink LR350 9.3.5u remote command injection via /cgi-bin/cstecgi.cgi A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
Lr350 Firmware
CVE-2026-1143 Jan 19, 2026
TOTOLINK A3700R 9.1.2u Buffer Overflow via ssid in setWiFiEasyGuestCfg A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
A3700r Firmware
CVE-2026-0731 Jan 08, 2026
TOTOLINK WA1200 5.9c remote null ptr deref A vulnerability has been found in TOTOLINK WA1200 5.9c.2914. The impacted element is an unknown function of the file cstecgi.cgi of the component HTTP Request Handler. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
CVE-2026-0641 Jan 06, 2026
TOTOLINK WA300 5.2cu.7112 cmd injection in cstecgi.cgi sub_401510 A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
Wa300 Firmware
CVE-2025-14964 Dec 19, 2025
Stack Buffer Overrun via loginAuthUrl in TOTOLINK T10 4.1.8cu.5083_B20200521 A vulnerability has been found in TOTOLINK T10 4.1.8cu.5083_B20200521. This affects the function sprintf of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument loginAuthUrl leads to stack-based buffer overflow. The attack may be performed from remote.
T10 Firmware
CVE-2025-14586 Dec 13, 2025
Cmd Injection via snprintf in TOTOLINK X5000R 9.1.0 (exportOvpn) A vulnerability was determined in TOTOLINK X5000R 9.1.0cu.2089_B20211224. Affected by this issue is the function snprintf of the file /cgi-bin/cstecgi.cgi?action=exportOvpn&type=user. This manipulation of the argument User causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
X5000r Firmware
CVE-2025-34319 Dec 03, 2025
OS Command Injection in TOTOLINK N300RT (V3.4.0-B20250430-) Boa formWsc TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 (discovered in V2.1.8-B20201030.1539) contain an OS command injection vulnerability in the Boa formWsc handling functionality. An unauthenticated attacker can send specially crafted requests to trigger command execution via the targetAPSsid request parameter.
N300rt Firmware
CVE-2025-12260 Oct 27, 2025
TOTOLINK A3300R 17.0.0cu.557_B20221024 POST Buffer Overflow in setSyslogCfg A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. Such manipulation of the argument enable leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
A3300r Firmware
CVE-2025-12259 Oct 27, 2025
Stack Buffer Overflow in TOTOLINK A3300R setScheduleCfg Remote A flaw has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. This manipulation of the argument recHour causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used.
A3300r Firmware
CVE-2025-12258 Oct 27, 2025
Remote buffer overflow via SETOPMODE in TOTOLINK A3300R 17.0.0cu.557 A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. Impacted is the function setOpModeCfg of the file /cgi-bin/cstecgi.cg of the component POST Parameter Handler. The manipulation of the argument opmode results in stack-based buffer overflow. The attack may be performed from remote.
A3300r Firmware
CVE-2025-12241 Oct 27, 2025
TOTOLINK A3300R 17.0.0cu.557_B20221024 buf overflow in setLanguageCfg A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This impacts the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. The manipulation of the argument lang results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.
A3300r Firmware
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.