CVE-2026-4497 is a remote OS command injection vulnerability identified in the Totolink WA300 router firmware version 5.2cu.7112_B20190227. The vulnerability resides in the recvUpgradeNewFw function of the /cgi-bin/cstecgi.cgi CGI script. This function improperly sanitizes user input, allowing an attacker to inject arbitrary OS commands that the system executes with the privileges of the web server process. Because the attack vector is remote and requires no authentication or user interaction, an attacker can exploit this flaw over the network to gain unauthorized control. The vulnerability impacts confidentiality, integrity, and availability by enabling attackers to execute commands that could disclose sensitive information, modify device settings, or disrupt router functionality. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploitation in the wild has been reported, public disclosure of exploit code increases the likelihood of attacks. The affected product, Totolink WA300, is a consumer and small office wireless router, commonly deployed in various global markets. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

The vulnerability allows remote attackers to execute arbitrary OS commands on affected Totolink WA300 devices without authentication, potentially leading to full device compromise. This can result in unauthorized disclosure of network configuration and sensitive data, unauthorized modification or disruption of router settings, and denial of service conditions. Compromised routers could be leveraged as entry points into internal networks, facilitating lateral movement or persistent access. The impact extends to confidentiality, integrity, and availability of network infrastructure relying on these devices. Organizations using these routers in home, small office, or branch environments face increased risk of network breaches, data leakage, and service interruptions. Given the public availability of exploit code, the threat landscape may escalate rapidly, especially targeting unpatched devices. The medium CVSS score reflects the balance between ease of exploitation and partial impact scope, but the real-world consequences could be severe if exploited in critical network environments.

1. Immediately check for and apply any official firmware updates or patches released by Totolink addressing CVE-2026-4497. 2. If patches are not yet available, restrict access to the router’s management interface by limiting it to trusted internal networks and disabling remote management features. 3. Employ network segmentation to isolate affected devices from critical infrastructure and sensitive data. 4. Monitor network traffic for unusual command execution patterns or unexpected outbound connections originating from the router. 5. Replace affected devices with models from vendors with active security support if patching is not feasible. 6. Implement strict firewall rules to block unauthorized access to the /cgi-bin/cstecgi.cgi endpoint. 7. Educate users and administrators about the risks of using outdated firmware and the importance of timely updates. 8. Conduct regular vulnerability assessments and penetration testing to identify and remediate similar issues proactively.