CVE-2026-5994

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is…

possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes the telnet_enabled argument in the setTelnetCfg CGI function to prevent OS command injection exploitation.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the specific command injection flaw in Totolink A7100RU firmware version 7.4cu.2313_b20191024.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Mandates identification and authentication for non-organizational users accessing the remotely exploitable CGI handler, blocking unauthenticated remote attacks.

Security SummaryAI

CVE-2026-5994 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue exists in the setTelnetCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the telnet_enabled argument enables arbitrary command execution.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable over the network with low complexity, no privileges, and no user interaction required. Any unauthenticated remote attacker can inject and execute OS commands on the device, potentially achieving full compromise with high impacts to confidentiality, integrity, and availability.

Advisories from VulDB detail the vulnerability at https://vuldb.com/vuln/356548 and related pages, while the vendor site https://www.totolink.net/ provides support resources. A public exploit is available at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_166/README.md, heightening the risk of active exploitation.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection via public-facing router CGI directly enables exploitation of public-facing application (T1190) and facilitates arbitrary command execution on network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_166/README.md
cna@vuldb.com
https://vuldb.com/submit/792042
cna@vuldb.com
https://vuldb.com/vuln/356548
cna@vuldb.com
https://vuldb.com/vuln/356548/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com