CVE-2026-5993

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wifiOff leads to os command injection. The attack can be executed remotely.…

The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates inputs like the wifiOff argument in the setWiFiGuestCfg CGI function to block OS command injection exploits.

SI-2 Flaw Remediation good match

prevent

Ensures timely patching of the specific flaw in Totolink A7100RU firmware version 7.4cu.2313_b20191024 to remediate the command injection vulnerability.

AC-3 Access Enforcement partial match

prevent

Enforces authentication and access controls on the /cgi-bin/cstecgi.cgi endpoint to block unauthenticated remote exploitation.

Security SummaryAI

CVE-2026-5993 is an OS command injection vulnerability affecting the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue resides in the setWiFiGuestCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the wifiOff argument enables attackers to inject arbitrary operating system commands. Published on 2026-04-10, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By sending a specially crafted request to the vulnerable CGI endpoint, they can execute arbitrary OS commands on the router, potentially achieving full compromise including data exfiltration, modification of configurations, or disruption of services.

Advisories referenced in VulDB entries (vuln/356547 and related pages) document the vulnerability and note that a public exploit is available on GitHub at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_165/README.md. The manufacturer's site at https://www.totolink.net/ is listed, but no specific patches or mitigation steps are detailed in the provided information.

The exploit's public availability increases the risk of real-world exploitation against unpatched Totolink A7100RU devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection in a public-facing CGI endpoint on a router, directly enabling exploitation of public-facing applications (T1190) and arbitrary OS command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_165/README.md
cna@vuldb.com
https://vuldb.com/submit/792041
cna@vuldb.com
https://vuldb.com/vuln/356547
cna@vuldb.com
https://vuldb.com/vuln/356547/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com