Cyber Resilience

CVE-2026-1547

MediumPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0252 82.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1547 is a medium-severity Injection (CWE-74) vulnerability in Totolink A7000R Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1547 is a command injection vulnerability in the Totolink A7000R router running firmware version 4.1cu.4154. It affects the setUnloadUserData function within the /cgi-bin/cstecgi.cgi script, where the plugin_name argument is improperly handled, allowing attackers to inject arbitrary commands. The issue aligns with CWE-74 (improper neutralization of special elements) and CWE-77 (command injection), earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Attackers with low privileges, such as authenticated users, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables limited command execution on the device, potentially leading to low-impact confidentiality, integrity, and availability compromises, such as data leakage, minor configuration changes, or service disruptions.

Public proof-of-concept exploits are available on GitHub at repositories detailing the RCE via setUnloadUserData, including specific PoC instructions. VulDB advisories (ctiid.343231, id.343231, submit.739713) document the vulnerability, but no vendor patches or specific mitigation steps are detailed in the provided references. Security practitioners should isolate affected devices and monitor for anomalous CGI requests until firmware updates are confirmed.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public…

more

and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in router's public-facing CGI script enables remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1601Same product: Totolink A7000R
CVE-2026-1548Same product: Totolink A7000R
CVE-2026-5104Same vendor: Totolink
CVE-2026-0641Same vendor: Totolink
CVE-2026-5103Same vendor: Totolink
CVE-2026-5177Same vendor: Totolink
CVE-2025-7524Same vendor: Totolink
CVE-2026-1149Same vendor: Totolink
CVE-2025-7952Same vendor: Totolink
CVE-2026-1327Same vendor: Totolink

Affected Assets

totolink
a7000r firmware
4.1cu.4154

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates command injection by requiring validation and sanitization of untrusted inputs like the plugin_name argument in the cstecgi.cgi script.

prevent

Addresses the root cause through timely identification, reporting, and remediation of the specific command injection flaw in Totolink A7000R firmware.

detect

Supports detection of exploitation attempts by monitoring for anomalous remote requests to the vulnerable setUnloadUserData function in cstecgi.cgi.

References