CVE-2026-0641 identifies a command injection vulnerability in the TOTOLINK WA300 router firmware version 5.2cu.7112_B20190227. The vulnerability resides in the sub_401510 function within the cstecgi.cgi CGI script, specifically through improper sanitization of the UPLOAD_FILENAME argument. An attacker can remotely send crafted requests to this CGI endpoint, injecting arbitrary shell commands that the router executes with elevated privileges. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact and ease of exploitation without privileges. While no active exploitation has been confirmed, the public disclosure of the exploit code increases the risk of opportunistic attacks. Successful exploitation could allow attackers to gain persistent control over the router, manipulate network traffic, deploy malware, or pivot to internal networks. The lack of vendor patches at the time of disclosure necessitates immediate defensive measures. This vulnerability highlights the risks of insecure CGI scripts in embedded device firmware and the importance of input validation and secure coding practices in IoT and networking equipment.

For European organizations, exploitation of this vulnerability could lead to unauthorized control over network routers, resulting in interception or redirection of sensitive data, disruption of network services, and potential lateral movement within corporate networks. This could compromise confidentiality, integrity, and availability of internal systems and data. Small and medium enterprises using TOTOLINK WA300 devices as primary network gateways are particularly vulnerable due to limited security monitoring. Critical infrastructure sectors relying on these routers for connectivity may face operational disruptions or espionage risks. The medium severity score indicates a moderate but tangible threat, especially given the ease of remote exploitation without authentication. The public availability of exploit code increases the likelihood of attacks targeting unpatched devices across Europe, potentially impacting business continuity and data protection compliance under GDPR.

1. Immediately isolate affected TOTOLINK WA300 devices from external networks to prevent remote exploitation. 2. Disable remote management interfaces and any unnecessary services exposing the cstecgi.cgi endpoint. 3. Implement strict network segmentation to limit router access to trusted administrators only. 4. Monitor network traffic for unusual requests targeting the UPLOAD_FILENAME parameter or the cstecgi.cgi script. 5. Apply vendor firmware updates as soon as they become available; if no patch exists, consider replacing affected devices with models from vendors with active security support. 6. Employ intrusion detection systems (IDS) with signatures for known exploit attempts against this vulnerability. 7. Conduct regular security audits of network devices and enforce strong access controls. 8. Educate IT staff about this vulnerability and ensure incident response plans include steps for router compromise scenarios.