OS Command Injection in ToToLink A3300R /cgi-bin/cstecgi.cgi stunServerAddr Parameter

Successful exploitation allows remote arbitrary command execution on the affected router. Based on the provided CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network with low complexity, requires no privileges and no user interaction, and can result in high impact to confidentiality, integrity, and availability. An attacker could fully compromise the device, access or alter configuration and traffic-handling behavior, and disrupt normal operation.

Restrict network access to the router management interface and specifically to /cgi-bin/cstecgi.cgi from untrusted networks. Disable remote administration if not required, place the management plane behind trusted internal networks only, and use firewall or ACL controls to limit who can reach the device. Monitor for suspicious requests involving the stunServerAddr parameter and isolate or replace affected devices where patching is not yet possible.

Upgrade from the affected ToToLink A3300R firmware version v17.0.0cu.557_B20221024 to a vendor-fixed release if one is available. The vulnerable handling of the stunServerAddr parameter in /cgi-bin/cstecgi.cgi should be corrected by eliminating shell invocation for untrusted input or by implementing strict server-side allowlisting and safe parameter handling. If no patched firmware is currently available, the information is currently not available beyond avoiding use of the affected version.