CVE-2026-31181

ToToLink · A3300R

The ToToLink A3300R router contains a command injection vulnerability in the stunServerAddr parameter of the cstecgi.cgi script, allowing unauthenticated remote code execution.

Executive summary

A critical command injection vulnerability in ToToLink A3300R firmware allows unauthenticated attackers to execute arbitrary system commands, potentially leading to full device compromise.

Vulnerability

This is an OS command injection vulnerability triggered via the stunServerAddr parameter in the /cgi-bin/cstecgi.cgi interface, which does not require authentication to access.

Business impact

The vulnerability carries a CVSS score of 9.8, indicating the highest level of severity. Successful exploitation allows an attacker to gain full administrative control over the network device, facilitating unauthorized access to the local network, traffic interception, and potential lateral movement into the internal infrastructure.

Remediation

Immediate Action: Identify and isolate affected A3300R devices from the public internet immediately. Apply the latest firmware update provided by ToToLink as soon as it becomes available.

Proactive Monitoring: Review system logs for anomalous requests directed at /cgi-bin/cstecgi.cgi containing unexpected shell metacharacters.

Compensating Controls: Restrict administrative access to the web interface to trusted management subnets only and implement WAF rules to filter malicious payloads in CGI parameters.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this command injection flaw, immediate remediation is required. Administrators should prioritize firmware updates and ensure the device management interface is not exposed to the public internet to mitigate the risk of remote exploitation.