CVE-2026-0641 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-0641?

CVE-2026-0641 has a CVSS score of 6.3 (MEDIUM). This CVE describes a command injection vulnerability in TOTOLINK WA300 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the cstecgi.cgi file's sub_401510 function via manipulation of the UPLOAD_FILENAME argument. Organizations using TOTOLINK WA300 routers with the vulnerable firmware version are affected.

📋 TL;DR

This CVE describes a command injection vulnerability in TOTOLINK WA300 routers that allows remote attackers to execute arbitrary commands on affected devices. The vulnerability exists in the cstecgi.cgi file's sub_401510 function via manipulation of the UPLOAD_FILENAME argument. Organizations using TOTOLINK WA300 routers with the vulnerable firmware version are affected.

💻 Affected Systems

Products:

TOTOLINK WA300

Versions: 5.2cu.7112_B20190227

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Wa300 Firmware by Totolink

View all CVEs affecting Wa300 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to establish persistence, pivot to internal networks, intercept traffic, or use the device for botnet activities.

🟠

Likely Case

Remote code execution leading to device compromise, credential theft, network reconnaissance, or denial of service.

🟢

If Mitigated

Limited impact if network segmentation prevents lateral movement and the device is not internet-facing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check TOTOLINK vendor website for firmware updates. If available, download and apply the latest firmware through the router's web interface.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected routers from critical network segments and restrict access to management interfaces.

Access Control Lists

all

Implement firewall rules to restrict access to the vulnerable CGI endpoint (typically port 80/443).

🧯 If You Can't Patch

Replace affected devices with supported models from vendors providing security updates.
Implement strict network monitoring and intrusion detection for suspicious activity targeting the routers.

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface (typically under System Status or About page).

Check Version:

Not applicable - check via web interface or consult device documentation.

Verify Fix Applied:

Verify firmware version has been updated to a version newer than 5.2cu.7112_B20190227.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to cstecgi.cgi with UPLOAD_FILENAME parameter containing shell metacharacters
Unexpected command execution in system logs

Network Indicators:

Suspicious traffic to router management interface from unexpected sources
Outbound connections from router to unknown destinations

SIEM Query:

source="router_logs" AND (uri="*cstecgi.cgi*" AND (param="*UPLOAD_FILENAME*" AND value="*;*" OR value="*|*" OR value="*`*"))

📊 Metadata

CVE ID: CVE-2026-0641

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 3.08% exploit probability (86.5th percentile)

Published: January 6, 2026

Last Updated: January 22, 2026

🔗 References

https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md Exploit,Third Party Advisory
https://github.com/JackWesleyy/CVE/blob/main/WA300/TOTOLINK_WA300_RCE.md#poc Exploit,Third Party Advisory
https://vuldb.com/?ctiid.339684 Permissions Required,VDB Entry
https://vuldb.com/?id.339684 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.732234 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0641, you might also want to check these: