External risk intelligence

Attacker can control ToToLink A3300R routers and disrupt service.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31175

Attackers can take control of ToToLink A3300R routers remotely, potentially disrupting service or accessing sensitive information, as they can execute unauthorized commands without needing a password.

4Halo Surface Signal

Totolink A3300r Firmware

17.0.0cu.557_b20221024

External exposure likelihood

Halo Surface Signal score for CVE-2026-31175

The vulnerability resides in the web management interface of a network router, which acts as an internet edge gateway. Although management interfaces are typically intended for local access, they are commonly reachable from the internet in many consumer and small office deployments, often exposing the management surface directly to external networks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An issue in ToToLink A3300R firmware allows attackers to run unauthorized commands. This is significant because it could let someone take control of affected devices.

  • Commands can be executed remotely.
  • Devices could be compromised without warning.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by sending a specially crafted request to the router's web interface. This request will target the stunEnable parameter within the cstecgi.cgi script, injecting malicious commands that the router will then execute. This allows for full compromise of the device.

  • No authentication required.
  • Web interface is the attack surface.
  • Exploitable remotely over the network.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for unauthenticated remote command execution on a router, a critical network device. The fact that it's unauthenticated and directly executable over the network via the router's web interface makes it a prime target. Attackers often favor these types of flaws for their potential to compromise entire networks.

  • Public exploit code exists.
  • No indication of active exploitation.
  • Recently disclosed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any affected ToToLink A3300R devices running firmware version 17.0.0cu.557_B20221024, as this critical vulnerability allows unauthenticated command injection. Actively monitor network traffic for signs of exploitation targeting the `/cgi-bin/cstecgi.cgi` endpoint. If affected devices cannot be immediately taken offline, implement strict firewall rules to block external access to the device's web management interface.

  • Block external access to web interface.
  • Investigate and block malicious traffic.
  • Identify all affected devices.

Frequently asked questions

What is the ToToLink A3300R router and its affected firmware version?

The ToToLink A3300R is a network router. The specific firmware version affected by the vulnerability is v17.0.0cu.557_B20221024.

What type of vulnerability does CVE-2026-31175 represent?

CVE-2026-31175 is a command injection vulnerability, also known as CWE-77. This type of vulnerability allows attackers to execute arbitrary operating system commands on a target system by sending specially crafted input.

How can an attacker exploit this vulnerability?

An attacker can exploit this by sending a malicious request to the router's web interface, targeting parameters such as stunEnable, stunPort, stunMaxAlive, informEnable, or stunPass within the /cgi-bin/cstecgi.cgi script. This input is not properly validated, allowing the attacker to inject commands that the router will then execute.

What is the relevance of this vulnerability according to Halo Surface Signal?

Halo Surface Signal classifies this CVE as 'Likely' due to its presence in the web management interface of a network router, which is often exposed to the internet and acts as an internet edge gateway. This makes the management surface accessible from external networks [cite: context].

What steps should be taken to respond to this vulnerability?

To respond to this vulnerability, it is recommended to isolate or take offline affected ToToLink A3300R devices. Network traffic should be monitored for signs of exploitation targeting the /cgi-bin/cstecgi.cgi endpoint. If devices cannot be taken offline, strict firewall rules should be implemented to block external access to the web management interface.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified