CVE-2026-31027

CriticalPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0085 75.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The vulnerability occurs because the rootSsid parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code…

execution or denial of service.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates information input validation mechanisms at entry points to check parameters like rootSsid for length, preventing the buffer overflow condition.

SI-16 Memory Protection partial match

prevent

Implements memory protection such as address space layout randomization and data execution prevention to mitigate exploitation of buffer overflows even if validation fails.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation to identify and patch the specific buffer overflow vulnerability in the setAppEasyWizardConfig interface.

Security SummaryAI

CVE-2026-31027, published on 2026-04-01, is a buffer overflow vulnerability (CWE-120) in TOTOlink A3600R router firmware version v5.9c.4959. The flaw exists in the setAppEasyWizardConfig interface of the /lib/cste_modules/app.so library, where the rootSsid parameter is not properly validated for length, enabling a buffer overflow condition.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity. Remote attackers require no privileges or user interaction and can exploit it over the network with low attack complexity. Successful exploitation may lead to arbitrary code execution or denial of service on the targeted device.

Detailed technical analysis of the vulnerability is available in the referenced GitHub repository at https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/rootSsid-setAppEasyWizardConfig.md. No vendor advisories or patches are mentioned in the provided information.

Details

CWE(s): CWE-120

Affected Products

totolink

a3600r firmware

5.9c.4959

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable buffer overflow in a public-facing web interface (setAppEasyWizardConfig) on a router firmware, enabling arbitrary code execution without authentication, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/rootSsid-setAppEasyWizardConfig.md
Exploit, Third Party Advisory · cve@mitre.org