CVE-2026-5677
Published: 06 April 2026
Summary
CVE-2026-5677 is a medium-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument resetFlags results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Remote unauthenticated attackers can supply crafted values to the resetFlags parameter and execute arbitrary operating system commands on the device. Successful exploitation yields limited effects on confidentiality, integrity, and availability according to the CVSS vector.
The EPSS score remains low with negligible movement between its current value of 0.0474 and recorded peak of 0.0486. Public references include a detailed proof-of-concept on GitHub along with entries on VulDB and the vendor site, but no specific patch or mitigation guidance is provided in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19436
Vulnerability details
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument resetFlags results in os command injection. The attack may be initiated remotely. The exploit has…
more
been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing CGI script enables remote unauthenticated exploitation of the application (T1190) and arbitrary command execution on the Linux-based router via Unix shell (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation of inputs like the resetFlags argument in the cstecgi.cgi script.
Mandates risk-based remediation of the specific command injection flaw through firmware patching.
Facilitates vulnerability scanning to identify and remediate the CVE-2026-5677 flaw in the Totolink router.