CVE-2026-5105

Опубликовано: 30 мар. 2026

Источник: nvd

CVSS3: 6.3

CVSS3: 8.8

CVSS2: 6.5

EPSS Низкий

Описание

A vulnerability was detected in Totolink A3300R 17.0.0cu.557_b20221024. The affected element is the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument pptpPassThru results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

Ссылки

https://github.com/LvHongW/Vuln-of-totolink_A3300R/tree/main/A3300R_pptpPassThru_cmd_inject
Exploit
Third Party Advisory
https://vuldb.com/submit/779143
Permissions Required
VDB Entry
https://vuldb.com/vuln/354130
Third Party Advisory
VDB Entry
https://vuldb.com/vuln/354130/cti
Third Party Advisory
VDB Entry
https://www.totolink.net/
Product

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*

EPSS

Процентиль: 84%

0.02164

Низкий

6.3 Medium

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-74

CWE-77

Связанные уязвимости

GHSA-3h9m-4hx4-r4rj

CVSS3: 6.3

github

9 дней назад

EPSS

Процентиль: 84%

0.02164

Низкий

6.3 Medium

CVSS3

8.8 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-74

CWE-77