CVE-2026-2167 is a medium-severity OS command injection vulnerability identified in the Totolink WA300 wireless router firmware version 5.2cu.7112_B20190227. The vulnerability resides in the setAPNetwork function of the /cgi-bin/cstecgi.cgi CGI script, which processes the Ipaddr parameter insecurely. By crafting a malicious request that manipulates this parameter, an attacker can inject arbitrary operating system commands that the device executes with the privileges of the web server process. The flaw is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vulnerability was publicly disclosed on February 8, 2026, and a public exploit is available, although no active exploitation in the wild has been reported to date. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), no user interaction (UI:N), and partial impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This suggests that an attacker with low privileges on the network can leverage this flaw to execute commands, potentially leading to device compromise, network disruption, or pivoting attacks. The affected product, Totolink WA300, is a consumer and small business wireless access point/router, commonly deployed in various regions. The lack of an official patch link in the provided data indicates that remediation may require vendor engagement or manual mitigation steps. Given the public exploit availability, timely mitigation is critical to prevent exploitation.

The exploitation of CVE-2026-2167 can lead to unauthorized remote code execution on affected Totolink WA300 devices, enabling attackers to take control of the router. This can result in several adverse impacts including interception or manipulation of network traffic, disruption of network availability, and use of the compromised device as a foothold for lateral movement within the network. Confidentiality may be compromised if attackers access sensitive network data or credentials stored or passing through the device. Integrity and availability impacts arise from potential device configuration changes or denial of service conditions caused by malicious commands. Organizations relying on these routers for critical connectivity, especially in small office or home office environments, may face operational disruptions. The medium CVSS score reflects the moderate but tangible risk, especially given the ease of remote exploitation without authentication. The presence of a public exploit increases the likelihood of opportunistic attacks, particularly targeting unpatched devices exposed to the internet or untrusted networks.

1. Immediate mitigation should focus on isolating affected Totolink WA300 devices from untrusted networks, especially the internet, to reduce exposure to remote attacks. 2. Network administrators should implement strict firewall rules to block access to the /cgi-bin/cstecgi.cgi endpoint or restrict access to trusted management IP addresses only. 3. Monitor network traffic for unusual requests targeting the setAPNetwork function or suspicious command injection patterns. 4. Engage with Totolink support or check official vendor channels regularly for firmware updates or patches addressing this vulnerability. 5. If no official patch is available, consider replacing affected devices with models not impacted by this vulnerability or deploying additional network segmentation to limit potential damage. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for known exploits targeting this vulnerability. 7. Educate users and administrators about the risks of exposing management interfaces to public networks and enforce strong network access controls. 8. Regularly audit device firmware versions and configurations to ensure compliance with security best practices.