Description
An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi.
Published: 2026-04-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Apply Patch
AI Analysis

Impact

The TOTOLINK A3300R firmware contains a command‑injection flaw that can be triggered by supplying an arbitrary string to the stunPort parameter in the /cgi-bin/cstecgi.cgi endpoint. This allows an attacker to run arbitrary commands under the privileges of the router’s web daemon, potentially leading to full device compromise. The weakness is a classic instance of CWE‑77 (Command Injection).

Affected Systems

Affected devices are TOTOLINK routers of the A3300R model running firmware version 17.0.0cu.557_B20221024. No product variations are listed beyond this firmware build, so any device identified by the CPE strings provided is likely vulnerable.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity, and the EPSS score of less than 1% indicates that real‑world exploitation is considered unlikely at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers would require network access to the router’s internal interface, typically from a local or compromised network segment. Based on the description, it is inferred that the exploit requires no special privileges beyond reaching the web service, and it could be performed by sending a crafted HTTP request to the exposed /cgi-bin/cstecgi.cgi endpoint.

Generated by OpenCVE AI on April 28, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to a firmware version that removes the vulnerable stunPort handling or otherwise fixes the command injection issue. If a patch is not yet available, block or disable access to the /cgi-bin/cstecgi.cgi CGI script by configuring the router’s firewall or access control lists to limit the endpoint to trusted internal IP addresses.
  • Restrict or disable the STUN port functionality in the router’s settings, which removes the attack vector altogether. This can be achieved by setting the stunPort value to a null or invalid state via the router’s configuration interface.
  • Configure network perimeter devices or a local firewall to block inbound traffic to the router’s web management interface from untrusted networks, and audit the web server logs regularly for abnormal CGI invocation patterns.

Generated by OpenCVE AI on April 28, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection through STUN Port Parameter in TOTOLINK A3300R Firmware

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink a3300r
Totolink a3300r Firmware
CPEs cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*
cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a3300r
Totolink a3300r Firmware

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-port parameter to /cgi-bin/cstecgi.cgi. An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stunPort parameter to /cgi-bin/cstecgi.cgi.

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-port parameter to /cgi-bin/cstecgi.cgi.
References

Subscriptions

Totolink A3300r A3300r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T18:42:25.065Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31179

cve-icon Vulnrichment

Updated: 2026-04-23T17:42:51.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T18:16:25.170

Modified: 2026-04-27T14:58:31.283

Link: CVE-2026-31179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:15:34Z

Weaknesses