Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Totolink N300RH: Unsecured web interface allows remote attacks
CVE-2026-3301
Summary
A security issue in the Totolink N300RH's web interface allows hackers to remotely execute malicious commands. This can happen if the device's settings are accessed through a vulnerable web page. To protect your device, update the firmware to the latest version available.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| totolink | n300rh_firmware | 6.1c.1349_b20181018 | – |
| totolink | n300rh_firmware | 6.1c.1353_b20190305 | – |
Original title
A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Manage...
Original description
A security flaw has been discovered in Totolink N300RH 6.1c.1353_B20190305. Affected by this vulnerability is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument webWlanIdx results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
nvd CVSS2.0
10.0
nvd CVSS3.1
9.8
nvd CVSS4.0
8.9
Vulnerability type
CWE-77
Command Injection
CWE-78
OS Command Injection
- https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/N300RHv4/01_setWebWlanIdx_R... Exploit Third Party Advisory
- https://vuldb.com/?ctiid.348052 Permissions Required VDB Entry
- https://vuldb.com/?id.348052 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.761297 Third Party Advisory VDB Entry
- https://www.totolink.net/ Product
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026