CVE-2026-3696 is an OS command injection vulnerability identified in the Totolink N300RH wireless router firmware version 6..1c.1353_B20190305. The vulnerability resides in the setWiFiWpsConfig function of the /cgi-bin/cstecgi.cgi CGI handler component. This function improperly sanitizes input parameters, allowing an attacker to inject arbitrary operating system commands remotely without authentication or user interaction. The attack vector is network-based, requiring only that the attacker send crafted HTTP requests to the vulnerable CGI endpoint. Successful exploitation can lead to full command execution on the device, enabling attackers to manipulate router configurations, intercept or redirect network traffic, or pivot to internal networks. The CVSS 4.0 score of 6.9 reflects the ease of exploitation (no privileges or user interaction needed) but limited scope and impact on confidentiality, integrity, and availability (each rated low). While no active exploitation has been reported, the public availability of exploit code increases the likelihood of future attacks. The vulnerability affects a specific firmware version, so devices running other versions may not be impacted. No official patches have been linked yet, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2026-3696 is unauthorized remote code execution on affected Totolink N300RH routers, which can lead to complete compromise of the device. This jeopardizes the confidentiality and integrity of network traffic passing through the router, potentially allowing attackers to intercept sensitive data, modify network configurations, or launch further attacks within the internal network. Availability could also be affected if attackers disrupt router operations or cause denial of service. For organizations, this vulnerability could result in data breaches, loss of network control, and exposure to lateral movement by attackers. Given the router’s role as a network gateway, exploitation could undermine overall network security posture. The absence of authentication and user interaction requirements lowers the barrier for attackers, increasing risk. Although currently no widespread exploitation is reported, the public exploit code could facilitate rapid weaponization and targeted attacks, especially against organizations or users relying on this specific router model and firmware version.

1. Immediately verify the firmware version of all Totolink N300RH devices and isolate those running version 6..1c.1353_B20190305. 2. Check for and apply any official firmware updates or patches from Totolink addressing this vulnerability as soon as they become available. 3. If patches are not yet available, restrict access to the router’s management interface by limiting it to trusted internal networks and disabling remote management features. 4. Implement network segmentation to isolate vulnerable devices from critical infrastructure and sensitive data. 5. Monitor network traffic for unusual or unauthorized access attempts targeting the /cgi-bin/cstecgi.cgi endpoint. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures for command injection attempts against Totolink devices. 7. Consider replacing affected devices with models that have no known vulnerabilities or have received timely security updates. 8. Educate network administrators about the risks of command injection and the importance of input validation in web interfaces. 9. Regularly audit router configurations and logs to detect signs of compromise or exploitation attempts. 10. Use network-level firewalls to block suspicious outbound connections originating from the router that may indicate exploitation.