Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-31170 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-31170 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-31170 is a critical OS command injection vulnerability in the ToToLink A3300R router firmware version v17.0.0cu.557_B20221024, exploitable through the stun-pass parameter of the /cgi-bin/cstecgi.cgi endpoint.

Technical Detail

The flaw exists in the CGI-based web management interface of the ToToLink A3300R, where the stun-pass parameter is passed to a backend handler without adequate input sanitization, allowing an attacker to inject and execute arbitrary operating system commands. Exploitation is likely achievable via a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint, potentially without authentication depending on the device's default configuration. Successful exploitation would result in unauthenticated or low-barrier remote code execution (RCE) on the underlying Linux-based firmware, granting full device control.

Exploitation Status

No known exploit code has been publicly observed as of April 16, 2026. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no active exploitation in the wild has been confirmed. The exploit maturity is currently assessed as no known exploit, though the straightforward nature of command injection vulnerabilities in CGI interfaces means weaponization risk should not be discounted.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability. SOHO router vulnerabilities of this class have historically attracted attention from botnet operators and initial access brokers, but no confirmed activity has been linked to this CVE specifically.

What To Do

Administrators using ToToLink A3300R devices running firmware v17.0.0cu.557_B20221024 should check with ToToLink for an updated firmware release and apply it immediately upon availability. In the interim, restrict access to the device's web management interface by disabling remote administration and limiting LAN-side access to trusted hosts only. If the management interface must remain accessible, place the device behind a firewall or access control list that blocks untrusted sources from reaching port 80 or 443. Monitor for unexpected outbound connections or configuration changes on affected devices as potential indicators of compromise. Given the critical CVSS score of 9.8, patch priority should be treated as urgent.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →