Totolink A3300r Firmware
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Totolink A3300r Firmware.
By the Year
In 2025 there have been 7 vulnerabilities in Totolink A3300r Firmware with an average score of 8.9 out of ten. Last year, in 2024 A3300r Firmware had 18 security vulnerabilities published. Right now, A3300r Firmware is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.50
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 7 | 8.94 |
| 2024 | 18 | 9.44 |
| 2023 | 4 | 9.23 |
It may take a day or so for new A3300r Firmware vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Totolink A3300r Firmware Security Vulnerabilities
TOTOLINK A3300R 17.0.0cu.557_B20221024 POST Buffer Overflow in setSyslogCfg
CVE-2025-12260
8.8 - High
- October 27, 2025
A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. Such manipulation of the argument enable leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Stack Overflow
Stack Buffer Overflow in TOTOLINK A3300R setScheduleCfg Remote
CVE-2025-12259
8.8 - High
- October 27, 2025
A flaw has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024. The affected element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. This manipulation of the argument recHour causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used.
Stack Overflow
Remote buffer overflow via SETOPMODE in TOTOLINK A3300R 17.0.0cu.557
CVE-2025-12258
8.8 - High
- October 27, 2025
A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. Impacted is the function setOpModeCfg of the file /cgi-bin/cstecgi.cg of the component POST Parameter Handler. The manipulation of the argument opmode results in stack-based buffer overflow. The attack may be performed from remote.
Stack Overflow
TOTOLINK A3300R 17.0.0cu.557_B20221024 buf overflow in setLanguageCfg
CVE-2025-12241
8.8 - High
- October 27, 2025
A vulnerability was detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This impacts the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Parameter Handler. The manipulation of the argument lang results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.
Stack Overflow
Buffer Overflow in TOTOLINK A3300R 17.0.0cu setDmzCfg CGI Remote
CVE-2025-12240
8.8 - High
- October 27, 2025
A security vulnerability has been detected in TOTOLINK A3300R 17.0.0cu.557_B20221024. This affects the function setDmzCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ip leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
Classic Buffer Overflow
TOTOLINK A3300R 17.0.0cu Buffer Overflow in setDdnsCfg via cgi-bin/cstecgi.cgi
CVE-2025-12239
8.8 - High
- October 27, 2025
A weakness has been identified in TOTOLINK A3300R 17.0.0cu.557_B20221024. The impacted element is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. Executing manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.
Classic Buffer Overflow
Command Injection in Totolink A3300R V17.0.0 sub_4197C0 via mac/desc
CVE-2025-52046
9.8 - Critical
- July 17, 2025
Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request.
Command Injection
TOTOLINK A3300R CGI 'UploadCustomModule' Buffer Overflow CVE-2024-7331
CVE-2024-7331
8.8 - High
- August 01, 2024
A vulnerability was found in TOTOLINK A3300R 17.0.0cu.557_B20221024 and classified as critical. Affected by this issue is the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument File leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-273254 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Classic Buffer Overflow
Hard-coded password in /etc/shadow.sample on TOTOLINK A3300R 17.0.0cu
CVE-2024-7155
4.7 - Medium
- July 28, 2024
A vulnerability has been found in TOTOLINK A3300R 17.0.0cu.557_B20221024 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-272569 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Use of Hard-coded Credentials
TOTO-API RCE via setOpModeCfg on A3300R v17.0.0cu.557_B20221024
CVE-2024-27521
- March 26, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain an unauthenticated remote command execution (RCE) vulnerability via multiple parameters in the "setOpModeCfg" function. This security issue allows an attacker to take complete control of the device. In detail, exploitation allows unauthenticated, remote attackers to execute arbitrary system commands with administrative privileges (i.e., as user "root").
Cmd Injection via enable in setMacFilterRules, TOTOLINK A3300R V17.0.0cu.557
CVE-2024-24328
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.
Shell injection
Command Injection in TOTOLINK A3300R V17.0.0cu via arpEnable
CVE-2024-24326
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.
Shell injection
Command Injection in TOTOLINK A3300R V17 Via setParentalRules (enable)
CVE-2024-24325
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setParentalRules function.
Shell injection
Command Injection in TOTOLINK A3300R V17.0.0cu.557_B20221024 setPortForwardRules
CVE-2024-24329
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.
Shell injection
Cmd Inject in TOTOLINK A3300R V17 via desc param in setWiFiAclRules
CVE-2024-24333
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the desc parameter in the setWiFiAclRules function.
Shell injection
TOTOLINK A3300R v17.0.0cu.557 B20221024 cmd-injection via setRemoteCfg
CVE-2024-24330
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the port or enable parameter in the setRemoteCfg function.
Shell injection
TOTOLINK A3300R V17.0.0cu.557 cmd-inj via URL in setUrlFilterRules
CVE-2024-24332
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function.
Shell injection
Command Injection in TOTOLINK A3300R V17.0.0cu.557 via pppoePass
CVE-2024-24327
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pppoePass parameter in the setIpv6Cfg function.
Shell injection
Cmd Injection in TOTOLINK A3300R v17 via setWiFiScheduleCfg enable
CVE-2024-24331
9.8 - Critical
- January 30, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setWiFiScheduleCfg function.
Shell injection
TOTOLINK A3300R V17.0.0cu.557_B20221024 command injection via hostName
CVE-2024-22942
9.8 - Critical
- January 11, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the hostName parameter in the setWanCfg function.
Shell injection
Command Injection in TOTOLINK A3300R v17.0.0cu.557 via setDdnsCfg
CVE-2024-23059
9.8 - Critical
- January 11, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the username parameter in the setDdnsCfg function.
Shell injection
Command Injection in TOTOLINK A3300R 17.0.0cu.557 via setDmzCfg
CVE-2024-23060
9.8 - Critical
- January 11, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the ip parameter in the setDmzCfg function.
Shell injection
TO TOTOLINK A3300R V17.x cmd injection via minute param
CVE-2024-23061
9.8 - Critical
- January 11, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the minute parameter in the setScheduleCfg function.
Shell injection
Command Injection via setTr069Cfg in TOTOLINK A3300R V17.0.0cu.557
CVE-2024-23058
9.8 - Critical
- January 11, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pass parameter in the setTr069Cfg function.
Shell injection
Cmd Injection in TOTOLINK A3300R NTP tz Param (V17.0.0cu.557_B20221024)
CVE-2024-23057
9.8 - Critical
- January 11, 2024
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the tz parameter in the setNtpCfg function.
Shell injection
TOTOLINK A3300R V17.0.0cu.557_B20221024 FoC: Unauthenticated Password Reset
CVE-2023-46992
7.5 - High
- October 31, 2023
TOTOLINK A3300R V17.0.0cu.557_B20221024 is vulnerable to Incorrect Access Control. Attackers are able to reset serveral critical passwords without authentication by visiting specific pages.
Command Injection via setLedCfg in TOTOLINK A3300R v17.0.0cu.557
CVE-2023-46993
9.8 - Critical
- October 31, 2023
In TOTOLINK A3300R V17.0.0cu.557_B20221024 when dealing with setLedCfg request, there is no verification for the enable parameter, which can lead to command injection.
Command Injection
Command Injection in TOTOLINK A3300R 17.0.0cu.557 UploadFirmwareFile
CVE-2023-46976
9.8 - Critical
- October 31, 2023
TOTOLINK A3300R 17.0.0cu.557_B20221024 contains a command injection via the file_name parameter in the UploadFirmwareFile function.
Command Injection
TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection
CVE-2023-31729
9.8 - Critical
- May 18, 2023
TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi.
Command Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Totolink A3300r Firmware or by Totolink? Click the Watch button to subscribe.
