CVE-2026-31175
Published: 23 April 2026
Summary
CVE-2026-31175 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by requiring validation and sanitization of the unsanitized stunEnable parameter in the cstecgi.cgi endpoint.
Remediates the specific command injection flaw in ToToLink A3300R firmware through timely identification, reporting, and patching.
Mitigates unauthenticated remote exploitation by requiring identification and authentication for non-organizational users accessing the vulnerable web interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-31175 is a command injection vulnerability in a public-facing web interface (router CGI endpoint), enabling unauthenticated remote exploitation for arbitrary OS command execution, directly mapping to T1190 and facilitating T1059.004 on likely Unix/Linux-based firmware.
NVD Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunEnable parameter to /cgi-bin/cstecgi.cgi.
Deeper analysisAI
CVE-2026-31175 is a command injection vulnerability (CWE-77) discovered in the ToToLink A3300R firmware version v17.0.0cu.557_B20221024. It affects the web interface component, specifically the /cgi-bin/cstecgi.cgi endpoint, where the stunEnable parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), with network accessibility (AV:N), low attack complexity (AC:L), no required privileges (PR:N), no user interaction (UI:N), and high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H). Unauthenticated remote attackers can exploit it over the network by sending a crafted HTTP request to the affected endpoint, achieving arbitrary command execution on the device, potentially leading to full router compromise, data theft, or further network pivoting.
References point to GitHub repositories containing proof-of-concept exploit code for the ToToLink A3300R stunEnable command injection, but no official advisories, vendor patches, or specific mitigation guidance are detailed in the provided sources.
Details
- CWE(s)