Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: arbitrary command execution
Action: apply firmware update
AI Analysis

Impact

The vulnerability is a command injection flaw (CWE‑77) that allows an attacker to supply arbitrary shell commands through the pppoeMtu parameter of the /cgi-bin/cstecgi.cgi script on the ToToLink A3300R router. This flaw gives the attacker the ability to run commands with the privileges of the web service; it is inferred that this could compromise the device’s operating system and the data it handles. The impact includes risks to confidentiality, integrity, and availability on the affected network segment.

Affected Systems

ToToLink A3300R routers running firmware version 17.0.0cu.557_B20221024.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity and the EPSS score of <1% suggests a low current exploitation probability; the vulnerability is not listed in the CISA KEV catalog. The flaw exists in a web‑accessible script called /cgi-bin/cstecgi.cgi that accepts a pppoeMtu parameter. It is likely that a remote attacker with access to the router’s HTTP interface could send a specially crafted request to that endpoint and, using the command injection weakness, execute supplied commands with the privileges of the web service.

Generated by OpenCVE AI on April 28, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest firmware that addresses this vulnerability.
  • If a patch is not yet available, restrict access to the /cgi-bin/cstecgi.cgi endpoint to trusted networks only, using firewall rules or access‑control lists.
  • Add input validation for the pppoeMtu parameter to accept only numeric values, rejecting any non‑numeric characters before processing.

Generated by OpenCVE AI on April 28, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Title Command Injection via PPPoE MTU Parameter in ToToLink A3300R Firmware

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the pppoeMtu parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:33:53.735Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31164

cve-icon Vulnrichment

Updated: 2026-04-23T18:33:36.783Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:24.310

Modified: 2026-04-24T15:13:03.960

Link: CVE-2026-31164

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses