CVE-2026-0641 is a command injection vulnerability identified in the TOTOLINK WA300 router firmware version 5.2cu.7112_B20190227. The flaw exists in the cstecgi.cgi CGI script, specifically in the sub_401510 function, where the UPLOAD_FILENAME parameter is improperly sanitized. This allows an attacker to inject arbitrary commands that the system executes with the privileges of the web server process. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing the attack surface significantly. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the risk of exploitation. The vulnerability could allow attackers to take control of the device, manipulate network traffic, or use the device as a foothold for further attacks within a network. The lack of available patches at the time of disclosure necessitates immediate defensive measures by administrators.

The vulnerability enables remote attackers to execute arbitrary commands on affected TOTOLINK WA300 devices, potentially leading to full device compromise. This can result in unauthorized access to network traffic, interception or manipulation of data, disruption of network services, and the use of compromised devices as a launchpad for lateral movement or further attacks. Organizations relying on these routers for critical network infrastructure may face confidentiality breaches, integrity violations, and availability disruptions. The medium CVSS score reflects moderate ease of exploitation combined with partial impact on system security properties. However, the absence of authentication requirements and user interaction significantly increases the risk. The impact is especially critical in environments where these routers are deployed in sensitive or high-value networks, including small to medium enterprises and home networks that may lack robust security monitoring.

Administrators should immediately restrict remote access to the router’s management interface, ideally limiting it to trusted internal networks or disabling remote management entirely. Network segmentation should be employed to isolate vulnerable devices from critical infrastructure. Monitoring network traffic for unusual command execution patterns or unexpected outbound connections can help detect exploitation attempts. If available, upgrading the router firmware to a version that patches this vulnerability is the most effective mitigation; if no patch exists, consider replacing the device with a secure alternative. Employing Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with signatures targeting command injection attempts against TOTOLINK devices can provide additional protection. Regularly auditing device configurations and access logs will help identify potential compromise early. Users should also change default credentials and enforce strong authentication mechanisms where possible to reduce risk.