CVE-2026-2167 is an OS command injection vulnerability identified in the Totolink WA300 wireless router firmware version 5.2cu.7112_B20190227. The vulnerability resides in the setAPNetwork function of the /cgi-bin/cstecgi.cgi CGI script, specifically in the handling of the Ipaddr parameter. An attacker can remotely supply crafted input to this parameter, which is improperly sanitized, allowing arbitrary operating system commands to be executed with the privileges of the web server process. The attack vector is network-based, requiring no authentication or user interaction, which significantly lowers the barrier for exploitation. The CVSS v4.0 score of 5.3 reflects a medium severity, considering the ease of remote exploitation but limited scope of impact due to privilege level and lack of direct system-wide control. While no active exploitation has been reported, the availability of a public exploit increases the risk of future attacks. Successful exploitation could lead to unauthorized access, data leakage, device manipulation, or denial of service, impacting the router’s confidentiality, integrity, and availability. The vulnerability is specific to a single firmware version, so devices running other versions may not be affected. No official patches or updates have been linked yet, so mitigation relies on network-level controls or firmware upgrades once available.

For European organizations, this vulnerability poses a significant risk to network security, especially for those deploying Totolink WA300 routers in their infrastructure. Exploitation could allow attackers to gain unauthorized control over the router, potentially leading to interception or manipulation of network traffic, disruption of network services, or pivoting to internal systems. This could compromise sensitive data confidentiality and integrity, and degrade availability of critical network resources. Organizations in sectors such as telecommunications, government, finance, and critical infrastructure are particularly vulnerable due to the strategic importance of their networks. The lack of authentication requirement means attackers can exploit the vulnerability remotely without prior access, increasing the threat surface. Given the public availability of an exploit, the risk of targeted attacks or automated scanning campaigns is elevated. European entities relying on this router model should assess their exposure and implement mitigations promptly to avoid potential operational and reputational damage.

1. Immediate mitigation should include isolating affected Totolink WA300 devices from untrusted networks, especially the internet, to reduce exposure to remote attacks. 2. Implement network-level access controls such as firewall rules to restrict access to the router’s management interface, allowing only trusted IP addresses or internal networks. 3. Monitor network traffic for unusual or suspicious activity targeting the /cgi-bin/cstecgi.cgi endpoint or attempts to manipulate the Ipaddr parameter. 4. Disable remote management features on the router if not required, to minimize the attack surface. 5. Regularly check for firmware updates or security advisories from Totolink and apply patches as soon as they become available. 6. Consider replacing affected devices with alternative models from vendors with a stronger security track record if patching is delayed. 7. Conduct internal audits to identify all Totolink WA300 devices in use and verify their firmware versions. 8. Educate network administrators about this vulnerability and the importance of timely mitigation steps. 9. Employ intrusion detection/prevention systems (IDS/IPS) capable of detecting command injection attempts targeting this vulnerability. 10. Maintain comprehensive backups and incident response plans to quickly recover from potential compromises.