Cyber Resilience

CVE-2026-5676

Medium

Published: 06 April 2026

Published
06 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 32.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5676 is a medium-severity Improper Authentication (CWE-287) vulnerability in Totolink A8000R (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-5676 is a missing authentication vulnerability affecting the Totolink A8000R router on firmware version 5.9c.681_B20180413. The flaw exists in the setLanguageCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the langType argument enables authentication bypass. It is associated with CWEs-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low attack complexity and no requirement for user interaction. Exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access to certain functions. A public exploit is available, increasing the risk of widespread use.

Advisories and additional details are documented in references including a GitHub repository detailing the authentication bypass (https://github.com/skeetabc/CVE-TOTOLINK-A800R/blob/main/vuln1_auth_bypass.md), VulDB entries (https://vuldb.com/submit/792433, https://vuldb.com/vuln/355503, https://vuldb.com/vuln/355503/cti), and the Totolink vendor site (https://www.totolink.net/). No specific mitigation or patch details are outlined in the provided information.

EU & UK References

Vulnerability details

A vulnerability was identified in Totolink A8000R 5.9c.681_B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available and…

more

might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an authentication bypass vulnerability in a public-facing web CGI endpoint (/cgi-bin/cstecgi.cgi) on a network router, directly enabling remote unauthenticated exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7042Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-6577Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-6129Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-5000Shared CWE-287, CWE-306
CVE-2026-6126Shared CWE-287, CWE-306

Affected Assets

Totolink
A8000R
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly prohibits unauthorized actions without identification or authentication, such as manipulating the langType argument in setLanguageCfg to bypass authentication.

prevent

IA-8 requires unique identification and authentication for non-organizational users, preventing remote unauthenticated access to the vulnerable CGI endpoint.

prevent

AC-3 enforces approved access authorizations, blocking unauthorized manipulation of critical functions like setLanguageCfg in cstecgi.cgi.

References