Goal Reached Thanks to every supporter โ€” we hit 100%!

Goal: 1000 CNY ยท Raised: 1336 CNY

100%

CVE-2026-3301 โ€” AI Deep Analysis Summary

CVSS 9.8 ยท Critical

Q1What is this vulnerability? (Essence + Consequences)

๐Ÿšจ **Essence**: OS Command Injection in TOTOLINK N300RH. ๐Ÿ’ฅ **Consequences**: Attackers can execute arbitrary system commands, leading to full device compromise and potential network takeover.

Q2Root Cause? (CWE/Flaw)

๐Ÿ›ก๏ธ **Root Cause**: CWE-78 (OS Command Injection). ๐Ÿ› **Flaw**: Improper handling of the `webWlanIdx` parameter in the `setWebWlanIdx` function within `/cgi-bin/cstecgi.cgi`.

Q3Who is affected? (Versions/Components)

๐Ÿ“ฆ **Affected**: TOTOLINK N300RH Router. ๐Ÿ“… **Version**: Firmware 6.1c.1353_B20190305. ๐Ÿข **Vendor**: Totolink (China Jicong Electronics).

Q4What can hackers do? (Privileges/Data)

๐Ÿ‘‘ **Privileges**: High (Root/System level). ๐Ÿ“Š **Data**: Full Control (C:H, I:H, A:H). Attackers gain complete read/write/execute access to the underlying OS.

Q5Is exploitation threshold high? (Auth/Config)

โš ๏ธ **Threshold**: Low. ๐ŸŒ **Auth**: None required (PR:N). ๐Ÿ“ก **Access**: Network (AV:N). ๐ŸŽฏ **Complexity**: Low (AC:L). No user interaction needed (UI:N).

Q6Is there a public Exp? (PoC/Wild Exploitation)

๐Ÿ”“ **Public Exp**: Yes. ๐Ÿ“‚ **Source**: GitHub (xyh4ck/iot_poc). ๐Ÿ“ **Details**: Specific PoC available for `setWebWlanIdx` RCE. Wild exploitation risk is high.

Q7How to self-check? (Features/Scanning)

๐Ÿ” **Check**: Scan for `/cgi-bin/cstecgi.cgi`. ๐Ÿ“ก **Probe**: Send crafted requests to `setWebWlanIdx` with malicious `webWlanIdx` values. ๐Ÿ› ๏ธ **Tools**: Use existing GitHub PoC scripts for verification.

Q8Is it fixed officially? (Patch/Mitigation)

๐Ÿ”„ **Patch**: Check vendor site. ๐Ÿ“‰ **Mitigation**: If no patch, disable remote management. ๐Ÿšซ **Block**: Restrict access to the Web Management Interface via firewall rules.

Q9What if no patch? (Workaround)

๐Ÿ›‘ **Workaround**: Disable the Web Management Interface entirely if not needed. ๐Ÿ”’ **Network Segmentation**: Isolate IoT devices from critical network segments. ๐Ÿšซ **Access Control**: Limit CGI access to trusted IPs only.

Q10Is it urgent? (Priority Suggestion)

๐Ÿ”ฅ **Urgency**: Critical. ๐Ÿ“… **Published**: 2026-02-27. ๐Ÿšจ **Risk**: CVSS 9.8 (Critical). Immediate action required due to low exploitation barrier and high impact.