Cyber Resilience

CVE-2026-1723

CriticalRCE

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0090 55.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1723 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2026-1723 is an OS command injection vulnerability (CWE-78) present in the TOTOLINK X6000R router. It stems from improper neutralization of special elements in OS commands and affects all firmware versions through V9.4.0cu.1498_B20250826. The flaw carries a CVSS 4.0 score of 9.2.

An unauthenticated remote attacker can supply crafted input over the network to execute arbitrary operating-system commands on the device. Successful exploitation can alter system integrity and availability while also enabling secondary impacts on confidentiality, with the attack complexity rated as high under the published vector.

The referenced Palo Alto Networks disclosure and TOTOLINK firmware download page provide the primary sources for mitigation details and any available updates. The EPSS score rose from a low baseline to a peak of 0.0198 on 2026-02-05 before receding to the current value of 0.0047, indicating a temporary increase in exploitation interest after public disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1498_B20250826.

CWE(s)

Related Threats

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-41276Shared CWE-78
CVE-2026-28463Shared CWE-78
CVE-2024-55590Shared CWE-78
CVE-2026-23678Shared CWE-78
CVE-2025-56089Shared CWE-78
CVE-2025-56087Shared CWE-78
CVE-2025-10230Shared CWE-78
CVE-2026-27635Shared CWE-78
CVE-2026-28470Shared CWE-78

Affected Assets

Totolink
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References