Cyber Resilience

CVE-2026-1601

MediumPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0515 90.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1601 is a medium-severity Injection (CWE-74) vulnerability in Totolink A7000R Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1601 is a command injection vulnerability affecting the Totolink A7000R router running firmware version 4.1cu.4154. The flaw resides in the setUploadUserData function within the /cgi-bin/cstecgi.cgi CGI script, where manipulation of the FileName argument fails to properly neutralize special elements, enabling arbitrary command execution. This issue aligns with CWE-74 (Improper Neutralization of Special Elements) and CWE-77 (Command Injection), earning a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by an authenticated attacker with low privileges, such as a standard user account on the device. Successful exploitation allows injection and execution of operating system commands, potentially resulting in limited impacts to confidentiality, integrity, and availability, including unauthorized data access, modification of system files, or denial-of-service conditions.

Public proof-of-concept exploits are available on GitHub, detailing the remote code execution (RCE) via the setUploadUserData endpoint. VulDB advisories (ctiid.343373, id.343373) document the issue, but no vendor patches or specific mitigation steps are detailed in the referenced sources. Security practitioners should isolate affected devices and monitor for anomalous CGI requests.

The exploit code has been publicly disclosed and could be adapted for real-world attacks against unpatched Totolink A7000R routers. The vulnerability was published on 2026-01-29.

EU & UK References

Vulnerability details

A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit…

more

has been made available to the public and could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct command injection in public-facing CGI endpoint enables remote code execution by unauthenticated or low-priv attackers, matching T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1547Same product: Totolink A7000R
CVE-2026-1548Same product: Totolink A7000R
CVE-2026-5103Same vendor: Totolink
CVE-2025-7614Same vendor: Totolink
CVE-2026-5020Same vendor: Totolink
CVE-2026-5177Same vendor: Totolink
CVE-2025-7524Same vendor: Totolink
CVE-2026-1326Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2026-1327Same vendor: Totolink

Affected Assets

totolink
a7000r firmware
4.1cu.4154

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the FileName argument in setUploadUserData to neutralize special elements and block command injection.

prevent

Mandates identification, reporting, and correction of the specific command injection flaw in the cstecgi.cgi script via firmware patching.

prevent

Enforces least privilege on low-privilege authenticated accounts to restrict the scope and impact of injected commands executed by the vulnerable CGI process.

References