{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31170", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T18:40:38.265Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-09T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-09T18:40:38.265Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi."}], "id": "CVE-2026-31170", "lastModified": "2026-04-09T19:16:23.580", "metrics": {}, "published": "2026-04-09T19:16:23.580", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "v17.0.0cu.557_B20221024"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "a3300r", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-09T20:56:03.440948+00:00", "value": {"mitigation_remediation": ["Check with the vendor for a firmware update that removes the command\u2011injection flaw and apply it as soon as possible.", "If a patch is not yet available, disable the STUN service or the /cgi-bin/cstecgi.cgi endpoint via the router\u2019s configuration settings to eliminate the attack surface.", "Restrict network access to the router\u2019s management interface by using firewall rules or VLAN segmentation, ensuring only trusted devices can reach the affected endpoint.", "Monitor network traffic for unusual POST or GET requests to /cgi-bin/cstecgi.cgi and investigate promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects ToToLink A3300R routers running firmware version 17.0.0cu.557_B20221024. No other versions or devices are listed as impacted.", "description_and_impact": "An attacker can supply a specially crafted \"stun-pass\" value to the /cgi-bin/cstecgi.cgi endpoint on a ToToLink A3300R router, causing the device to execute arbitrary system commands. This flaw is a classic command\u2010injection vulnerability that can jeopardize the confidentiality, integrity, and availability of the affected device.", "risk_and_exploitability": "The flaw carries a high severity rating because it grants remote execution of commands with the privileges of the web service process. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires only a crafted HTTP request to the vulnerable CGI script; authentication is not indicated, so the attack vector is likely remote and network\u2011based. An attacker on the same network or with internet access to the router can trigger the vulnerability by sending the malicious request."}}}}, "created": "2026-04-10T08:53:56.618912+00:00", "title": "Arbitrary Command Execution via STUN-Pass Parameter in ToToLink A3300R Firmware", "updated": "2026-04-10T09:33:06.571904+00:00", "vendors": ["totolink", "totolink$PRODUCT$a3300r"], "weaknesses": ["CWE-77", "CWE-94"]}