CVE-2026-1547
Published: 28 January 2026
Summary
CVE-2026-1547 is a medium-severity Injection (CWE-74) vulnerability in Totolink A7000R Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates command injection by requiring validation and sanitization of untrusted inputs like the plugin_name argument in the cstecgi.cgi script.
Addresses the root cause through timely identification, reporting, and remediation of the specific command injection flaw in Totolink A7000R firmware.
Supports detection of exploitation attempts by monitoring for anomalous remote requests to the vulnerable setUnloadUserData function in cstecgi.cgi.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in router's public-facing CGI script enables remote exploitation (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public…
more
and may be used.
Deeper analysisAI
CVE-2026-1547 is a command injection vulnerability in the Totolink A7000R router running firmware version 4.1cu.4154. It affects the setUnloadUserData function within the /cgi-bin/cstecgi.cgi script, where the plugin_name argument is improperly handled, allowing attackers to inject arbitrary commands. The issue aligns with CWE-74 (improper neutralization of special elements) and CWE-77 (command injection), earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Attackers with low privileges, such as authenticated users, can exploit this remotely over the network with low complexity and no user interaction required. Successful exploitation enables limited command execution on the device, potentially leading to low-impact confidentiality, integrity, and availability compromises, such as data leakage, minor configuration changes, or service disruptions.
Public proof-of-concept exploits are available on GitHub at repositories detailing the RCE via setUnloadUserData, including specific PoC instructions. VulDB advisories (ctiid.343231, id.343231, submit.739713) document the vulnerability, but no vendor patches or specific mitigation steps are detailed in the provided references. Security practitioners should isolate affected devices and monitor for anomalous CGI requests until firmware updates are confirmed.
Details
- CWE(s)