CVE-2026-31170
Published: 09 April 2026
Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation and sanitization of inputs like the stun-pass parameter in the cstecgi.cgi script.
Requires timely identification, reporting, and patching of the specific command injection flaw in the ToToLink A3300R firmware.
Limits the impact of successful command injection by enforcing least privilege on processes handling the vulnerable stun-pass parameter.
Security SummaryAI
CVE-2026-31170 is a command injection vulnerability (CWE-77) in ToToLink A3300R firmware version v17.0.0cu.557_B20221024. The issue resides in the /cgi-bin/cstecgi.cgi component, where the stun-pass parameter can be manipulated by attackers to execute arbitrary commands on the device.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is critically severe and exploitable remotely over the network with low complexity. Unauthenticated attackers require no privileges or user interaction to trigger it, potentially achieving high-impact compromise of confidentiality, integrity, and availability through arbitrary command execution.
References point to GitHub repositories at https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection, which contain proof-of-concept details for the stun-pass command injection in ToToLink A3300R. No vendor advisories or patches are specified in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection via public-facing web CGI (T1190: Exploit Public-Facing Application) enables arbitrary Unix shell command execution on the router firmware (T1059.004: Unix Shell).