Submit #792650: Totolink A3300R V17.0.0cu.557_B20221024 OS Command Injectioninfo

TitleTotolink A3300R V17.0.0cu.557_B20221024 OS Command Injection
DescriptionThe parameter stun_pass in "topicurlv = vsetTr069Cfg" is unsafely used in command construction in /cgi-bin/cstecgi.cgi. Because the value is not sanitized before reaching CsteSystem/execv, specially crafted input can inject and execute arbitrary OS commands.
Source⚠️ https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection
User
 m202572177 (UID 95972)
Submission03/30/2026 05:10 (3 months ago)
Moderation04/06/2026 11:45 (7 days later)
StatusAccepted
VulDB entry355506 [Totolink A3300R 17.0.0cu.557_B20221024 /cgi-bin/cstecgi.cgi vsetTr069Cfg stun_pass os command injection]
Points18

Do you need the next level of professionalism?

Upgrade your account now!