CVE-2026-5995

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument lan_info can lead to os command injection. The attack may be…

performed from remote. The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation of the lan_info argument in the vulnerable setMiniuiHomeInfoShow CGI function.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the specific command injection flaw in the Totolink router firmware.

SI-9 Information Input Restrictions good match

prevent

Restricts the lan_info input to organization-defined safe values, blocking injection of arbitrary OS commands via the CGI handler.

Security SummaryAI

CVE-2026-5995 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue lies in the setMiniuiHomeInfoShow function of the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the lan_info argument enables injection of arbitrary operating system commands. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it critically severe due to its network accessibility, low complexity, lack of required privileges or user interaction, and potential for high impacts on confidentiality, integrity, and availability. Remote unauthenticated attackers can exploit it over the network to execute arbitrary OS commands, achieving full device compromise.

Advisories and exploit details are documented on VulDB (vuln/356549 and related pages) and a GitHub repository at Litengzheng/vuldb_new/blob/main/A7100RU/vul_167/README.md. The vendor site is available at totolink.net, but specific patch or mitigation guidance is not outlined in the disclosure.

The exploit has been publicly released, heightening the risk of active exploitation against unpatched Totolink A7100RU devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE-2026-5995 enables remote unauthenticated OS command injection via a public-facing router CGI handler, directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_167/README.md
cna@vuldb.com
https://vuldb.com/submit/792043
cna@vuldb.com
https://vuldb.com/vuln/356549
cna@vuldb.com
https://vuldb.com/vuln/356549/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com