Cyber Resilience

CVE-2026-36841

CriticalRCE

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0113 62.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-36841 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-36841 is a command injection vulnerability (CWE-77) affecting the TOTOLINK N200RE V5 router. The flaw resides in the formMapDelDevice function, where the macstr and bandstr parameters fail to properly sanitize user input, enabling arbitrary command execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility and severe impacts.

Remote attackers require only network access to the vulnerable device, with no authentication, privileges, or user interaction needed. Exploitation involves sending crafted requests to the affected endpoint, allowing attackers to execute arbitrary operating system commands. This can grant full control over the router, enabling data theft, traffic manipulation, persistent access, or denial of service.

References point to GitHub repositories under 0xmania/cve, which contain details and proof-of-concept exploit code for the TOTOLINK N200RE V5 cstecgi-formMapDelDevice command injection. No vendor advisories or patches are detailed in the available information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in unauthenticated web management interface (formMapDelDevice) directly enables remote OS command execution on Linux-based router via T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57590Shared CWE-77
CVE-2025-64090Shared CWE-77
CVE-2024-57036Shared CWE-77
CVE-2024-39765Shared CWE-77
CVE-2025-29635Shared CWE-77
CVE-2024-39782Shared CWE-77
CVE-2024-13871Shared CWE-77
CVE-2025-50722Shared CWE-77
CVE-2024-39367Shared CWE-77
CVE-2026-22284Shared CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation and sanitization of user inputs like macstr and bandstr parameters to directly prevent command injection in the formMapDelDevice function.

prevent

SI-2 requires timely identification, prioritization, and remediation of flaws such as this command injection vulnerability through patching or disabling affected components.

prevent

AC-14 limits permitted actions without identification or authentication, preventing unauthenticated remote access to the vulnerable formMapDelDevice endpoint.

References