Cyber Resilience

CVE-2026-31170

CriticalPublic PoCRCE

Published: 09 April 2026

Published
09 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 42.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31170 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31170 is a command injection vulnerability (CWE-77) in ToToLink A3300R firmware version v17.0.0cu.557_B20221024. The issue resides in the /cgi-bin/cstecgi.cgi component, where the stun-pass parameter can be manipulated by attackers to execute arbitrary commands on the device.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is critically severe and exploitable remotely over the network with low complexity. Unauthenticated attackers require no privileges or user interaction to trigger it, potentially achieving high-impact compromise of confidentiality, integrity, and availability through arbitrary command execution.

References point to GitHub repositories at https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection, which contain proof-of-concept details for the stun-pass command injection in ToToLink A3300R. No vendor advisories or patches are specified in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection via public-facing web CGI (T1190: Exploit Public-Facing Application) enables arbitrary Unix shell command execution on the router firmware (T1059.004: Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31175Same product: Totolink A3300R
CVE-2026-5177Same product: Totolink A3300R
CVE-2026-5104Same product: Totolink A3300R
CVE-2026-5102Same product: Totolink A3300R
CVE-2026-5103Same product: Totolink A3300R
CVE-2026-5101Same product: Totolink A3300R
CVE-2025-52046Same product: Totolink A3300R
CVE-2026-5105Same product: Totolink A3300R
CVE-2026-5176Same product: Totolink A3300R
CVE-2026-5178Same product: Totolink A3300R

Affected Assets

totolink
a3300r firmware
17.0.0cu.557_b20221024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation and sanitization of inputs like the stun-pass parameter in the cstecgi.cgi script.

prevent

Requires timely identification, reporting, and patching of the specific command injection flaw in the ToToLink A3300R firmware.

prevent

Limits the impact of successful command injection by enforcing least privilege on processes handling the vulnerable stun-pass parameter.

References