Cyber Posture

CVE-2026-36841

CriticalRCE

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 29.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36841 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation and sanitization of user inputs like macstr and bandstr parameters to directly prevent command injection in the formMapDelDevice function.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, prioritization, and remediation of flaws such as this command injection vulnerability through patching or disabling affected components.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 limits permitted actions without identification or authentication, preventing unauthenticated remote access to the vulnerable formMapDelDevice endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in unauthenticated web management interface (formMapDelDevice) directly enables remote OS command execution on Linux-based router via T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.

Deeper analysisAI

CVE-2026-36841 is a command injection vulnerability (CWE-77) affecting the TOTOLINK N200RE V5 router. The flaw resides in the formMapDelDevice function, where the macstr and bandstr parameters fail to properly sanitize user input, enabling arbitrary command execution. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility and severe impacts.

Remote attackers require only network access to the vulnerable device, with no authentication, privileges, or user interaction needed. Exploitation involves sending crafted requests to the affected endpoint, allowing attackers to execute arbitrary operating system commands. This can grant full control over the router, enabling data theft, traffic manipulation, persistent access, or denial of service.

References point to GitHub repositories under 0xmania/cve, which contain details and proof-of-concept exploit code for the TOTOLINK N200RE V5 cstecgi-formMapDelDevice command injection. No vendor advisories or patches are detailed in the available information.

Details

CWE(s)
CWE-77

CVEs Like This One

CVE-2024-43028Shared CWE-77
CVE-2026-31175Shared CWE-77
CVE-2025-50722Shared CWE-77
CVE-2024-54007Shared CWE-77
CVE-2025-50526Shared CWE-77
CVE-2025-64090Shared CWE-77
CVE-2025-14756Shared CWE-77
CVE-2024-54802Shared CWE-77
CVE-2026-26461Shared CWE-77
CVE-2024-39367Shared CWE-77

References