CVE-2026-31027
Published: 01 April 2026
Summary
CVE-2026-31027 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Totolink A3600R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The flaw stems from missing length validation on the rootSsid parameter and is tracked as CWE-120 with a CVSS 3.1 score of 9.8.
Remote unauthenticated attackers can send a crafted request over the network to overflow the buffer, enabling arbitrary code execution or denial of service. The single available reference is a technical write-up hosted on GitHub that documents the parameter handling issue but provides no vendor advisory or patch information. The associated EPSS score remains flat at 0.0120 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17913
Vulnerability details
TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The vulnerability occurs because the rootSsid parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code…
more
execution or denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable buffer overflow in a public-facing web interface (setAppEasyWizardConfig) on a router firmware, enabling arbitrary code execution without authentication, directly mapping to Exploit Public-Facing Application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of input length and format on parameters such as rootSsid before they are processed by setAppEasyWizardConfig, eliminating the buffer overflow root cause.
Enforces access-control decisions so that unauthenticated remote requests to the vulnerable interface are rejected before the malformed rootSsid parameter can be handled.
Requires memory-protection mechanisms that can detect or block attempts to overwrite buffers during exploitation of the unchecked rootSsid input.