CVE-2026-3696
Published: 08 March 2026
Summary
CVE-2026-3696 is a high-severity Command Injection (CWE-77) vulnerability in Totolink N300Rh Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and sanitization of inputs to the vulnerable setWiFiWpsConfig function in /cgi-bin/cstecgi.cgi.
Protects the publicly accessible CGI handler from unauthorized remote manipulation, mitigating the network-accessible unauthenticated exploitation vector.
Requires timely identification, prioritization, and remediation of the specific command injection flaw in Totolink N300RH firmware version 6.1c.1353_B20190305.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote OS command injection via public-facing CGI interface on router (T1190), facilitating command execution on network device CLI (T1059.008).
NVD Description
A vulnerability was found in Totolink N300RH 6..1c.1353_B20190305. The affected element is the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit…
more
has been made public and could be used.
Deeper analysisAI
CVE-2026-3696 is an OS command injection vulnerability (CWE-77, CWE-78) in the Totolink N300RH router running firmware version 6..1c.1353_B20190305. The issue resides in the setWiFiWpsConfig function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers can exploit this vulnerability without authentication or user interaction by manipulating the affected function, leading to arbitrary OS command execution. Successful exploitation grants limited impact on confidentiality, integrity, and availability, potentially allowing attackers to run commands on the device.
Advisories and details are available via VulDB entries (ctiid.349642, id.349642, submit.765681) and a GitHub vulnerability research issue. The Totolink manufacturer website is also referenced, though specific patch or mitigation guidance is not detailed in the CVE publication from March 8, 2026. A public exploit exists, increasing the risk of real-world attacks.
Details
- CWE(s)