CVE-2026-1547
Published: 28 January 2026
Summary
CVE-2026-1547 is a medium-severity Injection (CWE-74) vulnerability in Totolink A7000R Firmware. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-1547 is a command injection vulnerability in the Totolink A7000R router running firmware version 4.1cu.4154. It affects the setUnloadUserData function within the /cgi-bin/cstecgi.cgi script, where the plugin_name argument is improperly handled, allowing attackers to inject arbitrary commands. The issue aligns with CWE-74 (improper neutralization of special elements) and CWE-77 (command injection), earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Attackers with low privileges, such as authenticated users, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables limited command execution on the device, potentially leading to low-impact confidentiality, integrity, and availability compromises, such as data leakage, minor configuration changes, or service disruptions.
Public proof-of-concept exploits are available on GitHub at repositories detailing the RCE via setUnloadUserData, including specific PoC instructions. VulDB advisories (ctiid.343231, id.343231, submit.739713) document the vulnerability, but no vendor patches or specific mitigation steps are detailed in the provided references. Security practitioners should isolate affected devices and monitor for anomalous CGI requests until firmware updates are confirmed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4846
Vulnerability details
A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public…
more
and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router's public-facing CGI script enables remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates command injection by requiring validation and sanitization of untrusted inputs like the plugin_name argument in the cstecgi.cgi script.
Addresses the root cause through timely identification, reporting, and remediation of the specific command injection flaw in Totolink A7000R firmware.
Supports detection of exploitation attempts by monitoring for anomalous remote requests to the vulnerable setUnloadUserData function in cstecgi.cgi.