Cyber Resilience

CVE-2026-31027

CriticalPublic PoC

Published: 01 April 2026

Published
01 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 43.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31027 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Totolink A3600R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The flaw stems from missing length validation on the rootSsid parameter and is tracked as CWE-120 with a CVSS 3.1 score of 9.8.

Remote unauthenticated attackers can send a crafted request over the network to overflow the buffer, enabling arbitrary code execution or denial of service. The single available reference is a technical write-up hosted on GitHub that documents the parameter handling issue but provides no vendor advisory or patch information. The associated EPSS score remains flat at 0.0120 with no material increase after disclosure.

EU & UK References

Vulnerability details

TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The vulnerability occurs because the rootSsid parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code…

more

execution or denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remotely exploitable buffer overflow in a public-facing web interface (setAppEasyWizardConfig) on a router firmware, enabling arbitrary code execution without authentication, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1686Same product: Totolink A3600R
CVE-2026-5020Same product: Totolink A3600R
CVE-2025-25635Same vendor: Totolink
CVE-2025-25609Same vendor: Totolink
CVE-2025-67188Same vendor: Totolink
CVE-2025-51630Same vendor: Totolink
CVE-2025-67186Same vendor: Totolink
CVE-2025-9780Same vendor: Totolink
CVE-2025-25610Same vendor: Totolink
CVE-2025-1852Same vendor: Totolink

Affected Assets

totolink
a3600r firmware
5.9c.4959

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input length and format on parameters such as rootSsid before they are processed by setAppEasyWizardConfig, eliminating the buffer overflow root cause.

prevent

Enforces access-control decisions so that unauthenticated remote requests to the vulnerable interface are rejected before the malformed rootSsid parameter can be handled.

prevent

Requires memory-protection mechanisms that can detect or block attempts to overwrite buffers during exploitation of the unchecked rootSsid input.

References