Totolink A3600R Command Injection Vulnerability in setNoticeCfg Function

Vulnerability

A command injection vulnerability has been identified in the Totolink A3600R router running firmware version 4.1.2cu.5182_B20201102. The issue arises in the setNoticeCfg function within the Parameter Handler component, specifically in the file /cgi-bin/cstecgi.cgi. The vulnerability allows for remote exploitation by manipulating the NoticeUrl parameter, which is user-controllable. The exploitation of this vulnerability could lead to unauthorized command execution on the device.

Impact

Exploitation of this vulnerability allows for pre-authentication remote command execution on the affected device.

Added: Mar 29, 2026, 1:19 AM

Updated: Mar 29, 2026, 1:19 AM

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

9.1

remediation

0.0

relevance

4.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.4

impact

7.5

exploitability

9.1

remediation

0.0

relevance

4.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totolink A3600R Command Injection Vulnerability in setNoticeCfg Function

Vulnerability

Impact

Affected Products

Totolink A3600R

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating