CVE-2026-31181
ToToLink · A3300R
The ToToLink A3300R router contains a command injection vulnerability in the stunServerAddr parameter of the cstecgi.cgi script, allowing unauthenticated remote code execution.
Executive summary
A critical command injection vulnerability in ToToLink A3300R firmware allows unauthenticated attackers to execute arbitrary system commands, potentially leading to full device compromise.
Vulnerability
This is an OS command injection vulnerability triggered via the stunServerAddr parameter in the /cgi-bin/cstecgi.cgi interface, which does not require authentication to access.
Business impact
The vulnerability carries a CVSS score of 9.8, indicating the highest level of severity. Successful exploitation allows an attacker to gain full administrative control over the network device, facilitating unauthorized access to the local network, traffic interception, and potential lateral movement into the internal infrastructure.
Remediation
Immediate Action: Identify and isolate affected A3300R devices from the public internet immediately. Apply the latest firmware update provided by ToToLink as soon as it becomes available.
Proactive Monitoring: Review system logs for anomalous requests directed at /cgi-bin/cstecgi.cgi containing unexpected shell metacharacters.
Compensating Controls: Restrict administrative access to the web interface to trusted management subnets only and implement WAF rules to filter malicious payloads in CGI parameters.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this command injection flaw, immediate remediation is required. Administrators should prioritize firmware updates and ensure the device management interface is not exposed to the public internet to mitigate the risk of remote exploitation.