CVE-2026-31181
Published: 23 April 2026
Summary
CVE-2026-31181 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3300R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user inputs like the stunServerAddr parameter to prevent command injection attacks.
Mandates timely identification, reporting, and remediation of flaws such as the command injection vulnerability in the cstecgi.cgi script.
Enforces restrictions on input types, formats, and quantities for parameters like stunServerAddr to block malicious command sequences.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing CGI endpoint (/cgi-bin/cstecgi.cgi) enables unauthenticated remote exploitation of public-facing application (T1190) leading to arbitrary OS command execution on network device (T1059.008).
NVD Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi.
Deeper analysisAI
CVE-2026-31181 is a command injection vulnerability (CWE-78) discovered in ToToLink A3300R firmware version v17.0.0cu.557_B20221024. The issue resides in the /cgi-bin/cstecgi.cgi component, where the stunServerAddr parameter fails to properly sanitize user input, enabling attackers to inject and execute arbitrary operating system commands.
With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is exploitable remotely over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation allows arbitrary command execution on the device, granting high-impact control over confidentiality, integrity, and availability, which could result in complete compromise of the affected router.
References point to GitHub repositories at https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-server-addr-cmd-injection, which detail the vulnerability and likely include proof-of-concept code for reproduction and exploitation. No vendor advisories, patches, or official mitigation guidance are specified in the available information.
Details
- CWE(s)