CVE-2026-31170 - Vulnerability Details

- Stun-pass Command Injection in ToToLink A3300R Firmware

Description

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi.

Published: 2026-04-09

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in ToToLink A3300R firmware version 17.0.0cu.557_B20221024, where the stun‑pass parameter sent to /cgi-bin/cstecgi.cgi does not properly validate input. An attacker who can submit a crafted request can inject and execute arbitrary operating system commands on the device. This results in full compromise of the device, exposing any data it processes and allowing the attacker to use the device in further attacks.

Affected Systems

The affected hardware is the ToToLink A3300R router running firmware v17.0.0cu.557_B20221024. No other vendor or product variants are listed in the advisory. The flaw specifically impacts the web interface that processes the stun‑pass parameter for STUN configuration.

Risk and Exploitability

The CVSS score of 9.8 reflects a severe impact and remote exploitation possibility. Although the EPSS score is below 1%, indicating a low popularity of observed exploits, the lack of a security advisory in the KEV catalog suggests no confirmed exploit. The likely attack vector is remote HTTP(S) access to the device; the description infers that exploitation requires sending an HTTP request containing a shell escape in the stun‑pass field. No other prerequisites are disclosed, so any authenticated or unauthenticated attacker able to reach the device could likely succeed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*

cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Totolink

A3300r

95%

Version	Status	Scheme	Platform
`v17.0.0cu.557_B20221024`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware upgrade that addresses the stun‑pass injection flaw as soon as it becomes available.
If an updated firmware is not yet released, block or restrict external access to /cgi-bin/cstecgi.cgi using firewall or access control lists, limiting interaction to trusted IP ranges.
As an interim measure, disable the stun‑pass feature or configure the device to ignore the stun‑pass parameter if the interface allows it.

Generated by OpenCVE AI on April 15, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00414.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection

History

Wed, 22 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink a3300r Firmware
CPEs		cpe:2.3:h:totolink:a3300r:-:::::::* cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:::::::*
Vendors & Products		Totolink a3300r Firmware

Wed, 15 Apr 2026 23:00:00 +0000

Type	Values Removed	Values Added
Title		Stun-pass Command Injection in ToToLink A3300R Firmware

Wed, 15 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title	Arbitrary Command Execution via STUN-Pass Parameter in ToToLink A3300R Firmware
Weaknesses	CWE-94

Tue, 14 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Title		Arbitrary Command Execution via STUN-Pass Parameter in ToToLink A3300R Firmware
Weaknesses		CWE-77 CWE-94

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink Totolink a3300r
Vendors & Products		Totolink Totolink a3300r

Thu, 09 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi.
References		https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection

Subscriptions

Totolink A3300r A3300r Firmware

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-09T00:00:00.000Z

Updated: 2026-04-14T16:35:16.705Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31170

Vulnrichment

Updated: 2026-04-14T15:00:22.246Z

NVD

Status : Analyzed

Published: 2026-04-09T19:16:23.580

Modified: 2026-04-22T16:43:08.050

Link: CVE-2026-31170

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T22:45:16Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object