{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31174", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-23T18:45:55.667Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T17:52:55.734Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T18:45:17.525962Z", "id": "CVE-2026-31174", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:45:55.667Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31174", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T18:45:17.525962Z"}}}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:45:50.702Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-23T17:52:55.734Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31174", "state": "PUBLISHED", "dateUpdated": "2026-04-23T18:45:55.667Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:totolink:a3300r_firmware:17.0.0cu.557_b20221024:*:*:*:*:*:*:*", "matchCriteriaId": "DD39B647-3419-4C6D-A6A2-30F40822A27D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:totolink:a3300r:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F723A73-4B32-4F9E-B5DA-80134D4711C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the informEnable parameter to /cgi-bin/cstecgi.cgi."}], "id": "CVE-2026-31174", "lastModified": "2026-04-24T15:12:34.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-23T18:16:24.677", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-inform-enable-cmd-injection"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "17.0.0cu.557_b20221024"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "a3300r_firmware", "vendor": "totolink"}], "analysis": {"en": {"generated_at": "2026-04-28T15:07:17.085089+00:00", "value": {"mitigation_remediation": ["Update the device firmware to a version that removes or hardens the /cgi-bin/cstecgi.cgi interface.", "Limit management access to the device by restricting the management port to trusted internal networks or VPNs.", "Implement input validation or a Web Application Firewall rule that blocks or sanitizes the informEnable parameter to prevent arbitrary command injection."], "summary": {"action": "Apply Patch", "impact": "Remote Command Execution via Command Injection"}, "threat_synthesis": {"affected_systems": "Totolink A3300R routers running firmware version 17.0.0cu.557_B20221024 are affected. The vulnerability is tied to the cgi-bin interface and the informEnable parameter within that firmware.", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary system commands through the informEnable parameter in the /cgi-bin/cstecgi.cgi interface. This is a classic command injection flaw (CWE\u201177) that can give an attacker full control over the affected device. The impact is serious in that an attacker can read, modify, or delete configuration data, install additional software, or use the device as a pivot for further attacks in the network. No information is provided about the need for authentication, so it is unlikely to be limited to privileged users.", "risk_and_exploitability": "The CVSS score of 6.5 indicates the flaw is moderate, and the EPSS score of less than 1% suggests the likelihood of real-world exploitation is low at present. The vulnerability has not been listed in the CISA KEV catalog, which further reduces the current threat posture. The likely attack vector is through a remote HTTP or HTTPS request sent to /cgi-bin/cstecgi.cgi with a crafted informEnable value. An attacker with network access to the device or an exposed management interface would be able to exploit this flaw."}}}}, "created": "2026-04-27T20:20:54.947977+00:00", "title": "Command Injection via informEnable in Totolink A3300R Firmware", "updated": "2026-04-28T15:15:34.203722+00:00", "vendors": ["totolink", "totolink$PRODUCT$a3300r_firmware"]}