CVE-2026-31178

CriticalPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0041 61.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunMaxAlive parameter to /cgi-bin/cstecgi.cgi.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation and sanitization of the unsanitized stunMaxAlive parameter in the /cgi-bin/cstecgi.cgi endpoint.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability through timely remediation of the command injection flaw in the TOTOLINK A3300R firmware.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protection at the router's external web interface to inspect and block malicious requests exploiting the vulnerable stunMaxAlive parameter.

Security SummaryAI

CVE-2026-31178 is a command injection vulnerability (CWE-78) discovered in the TOTOLINK A3300R firmware version v17.0.0cu.557_B20221024. The issue resides in the /cgi-bin/cstecgi.cgi endpoint, where the stunMaxAlive parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impact across confidentiality, integrity, and availability. Remote, unauthenticated attackers can exploit it by sending a malicious HTTP request to the affected endpoint, achieving arbitrary command execution on the router with the privileges of the web server process.

Proof-of-concept exploit code demonstrating the command injection is publicly available in the GitHub repository https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-max-alive-cmd-injection. No vendor advisories, patches, or specific mitigation guidance are detailed in the provided references.

Details

CWE(s): CWE-78

Affected Products

totolink

a3300r firmware

17.0.0cu.557_b20221024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) on a network device router, directly facilitating arbitrary command execution via command injection (T1059.008: Network Device CLI).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-max-alive-cmd-injection
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-max-alive-cmd-injection
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0