Cyber Posture

CVE-2026-36841

Critical

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 29.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation and sanitization of user inputs like macstr and bandstr parameters to directly prevent command injection in the formMapDelDevice function.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, prioritization, and remediation of flaws such as this command injection vulnerability through patching or disabling affected components.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 limits permitted actions without identification or authentication, preventing unauthenticated remote access to the vulnerable formMapDelDevice endpoint.

Security SummaryAI

CVE-2026-36841 is a command injection vulnerability (CWE-77) affecting the TOTOLINK N200RE V5 router. The flaw resides in the formMapDelDevice function, where the macstr and bandstr parameters fail to properly sanitize user input, enabling arbitrary command execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility and severe impacts.

Remote attackers require only network access to the vulnerable device, with no authentication, privileges, or user interaction needed. Exploitation involves sending crafted requests to the affected endpoint, allowing attackers to execute arbitrary operating system commands. This can grant full control over the router, enabling data theft, traffic manipulation, persistent access, or denial of service.

References point to GitHub repositories under 0xmania/cve, which contain details and proof-of-concept exploit code for the TOTOLINK N200RE V5 cstecgi-formMapDelDevice command injection. No vendor advisories or patches are detailed in the available information.

Details

CWE(s)
CWE-77

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in unauthenticated web management interface (formMapDelDevice) directly enables remote OS command execution on Linux-based router via T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References