CVE-2026-5975

Critical

Published: 09 April 2026

Published

09 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wanIdx leads to os command injection. The attack may be performed…

from remote. The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validating the wanIdx argument in the setDmzCfg CGI function directly prevents OS command injection by rejecting malformed inputs.

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires patching the vulnerable firmware version 7.4cu.2313_b20191024 to eliminate the command injection vulnerability.

SC-7 Boundary Protection partial match

prevent

Boundary protection at the router's managed interfaces restricts unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-5975 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue affects the setDmzCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the wanIdx argument enables arbitrary command execution. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation allows attackers to inject and execute arbitrary operating system commands, potentially achieving high impacts on confidentiality, integrity, and availability, such as full router control, data exfiltration, or further network pivoting.

Advisories and additional details are available through references including VulDB entries (vuln/356529 and submit/791821), a GitHub repository containing the public exploit (Litengzheng/vuldb_new/blob/main/A7100RU/vul_161/README.md), and the vendor site (totolink.net). These sources document the issue but do not specify patches in the provided information.

A publicly available exploit exists, increasing the risk of real-world abuse against unpatched Totolink A7100RU devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection via public-facing router web CGI directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_161/README.md
cna@vuldb.com
https://vuldb.com/submit/791821
cna@vuldb.com
https://vuldb.com/vuln/356529
cna@vuldb.com
https://vuldb.com/vuln/356529/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com