Cyber Posture

CVE-2026-1547

MediumPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0059 69.2th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public…

more

and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates command injection by requiring validation and sanitization of untrusted inputs like the plugin_name argument in the cstecgi.cgi script.

SI-2 Flaw Remediation good match
prevent

Addresses the root cause through timely identification, reporting, and remediation of the specific command injection flaw in Totolink A7000R firmware.

SI-4 System Monitoring partial match
detect

Supports detection of exploitation attempts by monitoring for anomalous remote requests to the vulnerable setUnloadUserData function in cstecgi.cgi.

Security SummaryAI

CVE-2026-1547 is a command injection vulnerability in the Totolink A7000R router running firmware version 4.1cu.4154. It affects the setUnloadUserData function within the /cgi-bin/cstecgi.cgi script, where the plugin_name argument is improperly handled, allowing attackers to inject arbitrary commands. The issue aligns with CWE-74 (improper neutralization of special elements) and CWE-77 (command injection), earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Attackers with low privileges, such as authenticated users, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables limited command execution on the device, potentially leading to low-impact confidentiality, integrity, and availability compromises, such as data leakage, minor configuration changes, or service disruptions.

Public proof-of-concept exploits are available on GitHub at repositories detailing the RCE via setUnloadUserData, including specific PoC instructions. VulDB advisories (ctiid.343231, id.343231, submit.739713) document the vulnerability, but no vendor patches or specific mitigation steps are detailed in the provided references. Security practitioners should isolate affected devices and monitor for anomalous CGI requests until firmware updates are confirmed.

Details

CWE(s)
CWE-74CWE-77

Affected Products

totolink
a7000r firmware
4.1cu.4154

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in router's public-facing CGI script enables remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References