Command Injection in ToToLink A3300R /cgi-bin/cstecgi.cgi stunEnable Parameter

Successful exploitation allows remote arbitrary command execution on the vulnerable router. The provided CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates no privileges or user interaction are required and that exploitation can result in high impact to confidentiality, integrity, and availability, including full compromise of the device, modification of configuration or system state, disclosure of sensitive information, and service disruption.

Restrict network access to the router management interface and specifically to /cgi-bin/cstecgi.cgi from untrusted networks. Disable remote administration if not required, place the management plane behind trusted internal networks or ACLs, and limit exposure via firewall rules. Monitor for suspicious requests targeting the stunEnable parameter and for signs of unauthorized command execution on affected devices until patched firmware can be deployed.

Upgrade from the affected ToToLink A3300R firmware version v17.0.0cu.557_B20221024 to a vendor-fixed release if one is available. If a patched firmware version has not yet been published, monitor vendor advisories and apply the fix as soon as it is released. Because the issue is in command handling for /cgi-bin/cstecgi.cgi, remediation requires vendor correction of input handling for the stunEnable parameter to prevent command injection.