CVE-2026-31177

CriticalPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMinAlive parameter to /cgi-bin/cstecgi.cgi.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the command injection vulnerability by enforcing validation of the stunMinAlive parameter in the cstecgi.cgi script to block arbitrary OS command execution.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in ToToLink A3300R firmware v17.0.0cu.557_B20221024 through timely remediation, such as applying patches to fix insufficient input validation.

SI-9 Information Input Restrictions good match

prevent

Prevents command injection by restricting or filtering malicious inputs like shell metacharacters in the stunMinAlive parameter before processing by the CGI component.

Security SummaryAI

CVE-2026-31177 is a command injection vulnerability (CWE-78) discovered in ToToLink A3300R firmware version v17.0.0cu.557_B20221024. The flaw resides in the /cgi-bin/cstecgi.cgi component, where insufficient input validation on the stunMinAlive parameter enables attackers to inject and execute arbitrary operating system commands.

With a CVSS v3.1 base score of 9.8 (Critical), the vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), requiring no authentication (PR:N) or user interaction (UI:N). Attackers can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) by executing arbitrary commands, potentially leading to full device compromise, such as root shell access or persistent backdoors on affected routers.

Proof-of-concept exploit code is publicly available on GitHub at https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-min-alive-cmd-injection. No vendor advisories, patches, or official mitigation guidance are referenced in the CVE details.

Details

CWE(s): CWE-78

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web application (T1190) on a network device, directly facilitating arbitrary OS command execution via command injection (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-min-alive-cmd-injection
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-min-alive-cmd-injection
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0