Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Update Firmware
AI Analysis

Impact

A command injection flaw exists in the /cgi-bin/cstecgi.cgi handler of ToToLink A3300R firmware, which allows an attacker to supply an arbitrary string in the stun_user parameter and execute arbitrary OS commands on the device. This vulnerability can compromise confidentiality, integrity, and availability by enabling a malicious user to take full control of the router.

Affected Systems

The vulnerability affects ToToLink A3300R devices running firmware version 17.0.0cu.557_B20221024. No other affected product versions are publicly documented.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability that the flaw will be actively exploited in the near term, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be remote over the network, as the vulnerable CGI endpoint is accessible via standard HTTP requests. If an attacker can reach the device, they can invoke arbitrary commands and potentially compromise the entire system.

Generated by OpenCVE AI on April 28, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of the firmware that contains the fix for the command injection flaw.
  • Fail‑over by blocking or restricting access to the /cgi-bin/cstecgi.cgi endpoint and the stun_user parameter via network firewalls or ACLs.
  • If the policy allows, modify the CGI to remove or sanitize the stun_user input to eliminate the injection vector.

Generated by OpenCVE AI on April 28, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Title Stun User Parameter Command Injection in ToToLink A3300R Firmware

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-user parameter to /cgi-bin/cstecgi.cgi. An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun_user parameter to /cgi-bin/cstecgi.cgi.

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-user parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:43:43.726Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31176

cve-icon Vulnrichment

Updated: 2026-04-23T17:48:09.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:24.857

Modified: 2026-04-24T15:12:13.440

Link: CVE-2026-31176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses