CVE-2026-31175

CriticalPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of the unsanitized stunEnable parameter in the cstecgi.cgi endpoint.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw in ToToLink A3300R firmware through timely identification, reporting, and patching.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Mitigates unauthenticated remote exploitation by requiring identification and authentication for non-organizational users accessing the vulnerable web interface.

Security SummaryAI

CVE-2026-31175 is a command injection vulnerability (CWE-77) discovered in the ToToLink A3300R firmware version v17.0.0cu.557_B20221024. It affects the web interface component, specifically the /cgi-bin/cstecgi.cgi endpoint, where the stunEnable parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), no user interaction (UI:N), and high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H). Unauthenticated remote attackers can exploit it over the network by sending a crafted HTTP request to the affected endpoint, achieving arbitrary command execution on the device, potentially leading to full router compromise, data theft, or further network pivoting.

References point to GitHub repositories containing proof-of-concept exploit code for the ToToLink A3300R stunEnable command injection, but no official advisories, vendor patches, or specific mitigation guidance are detailed in the provided sources.

Details

CWE(s): CWE-77

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE-2026-31175 is a command injection vulnerability in a public-facing web interface (router CGI endpoint), enabling unauthenticated remote exploitation for arbitrary OS command execution, directly mapping to T1190 and facilitating T1059.004 on likely Unix/Linux-based firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-enable-cmd-injection
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-enable-cmd-injection
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0