Cyber Posture

CVE-2026-5690

High

Published: 06 April 2026

Published
06 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0115 78.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5690 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by validating and sanitizing the 'enable' argument in the vulnerable setRemoteCfg function.

SI-2 Flaw Remediation good match
prevent

Addresses the root cause by requiring timely remediation of the known command injection flaw through firmware patching.

SC-7 Boundary Protection partial match
prevent

Prevents remote exploitation of the unauthenticated CGI endpoint by enforcing boundary protections on network interfaces.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

OS command injection in public-facing CGI web interface on router enables remote unauthenticated exploitation of the application (T1190) and direct arbitrary command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The…

more

exploit has been published and may be used.

Deeper analysisAI

CVE-2026-5690 is an OS command injection vulnerability (CWE-77, CWE-78) affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The flaw resides in the setRemoteCfg function within the /cgi-bin/cstecgi.cgi file, where manipulation of the "enable" argument enables attackers to inject and execute arbitrary operating system commands.

The vulnerability is remotely exploitable over the network by unauthenticated attackers requiring low attack complexity and no user interaction, earning a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation allows limited impacts on confidentiality, integrity, and availability, with a published exploit available for use.

References include a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_188/README.md detailing the exploit, VULDB advisories at https://vuldb.com/vuln/355517 and related pages, and the vendor site at https://www.totolink.net/. The exploit has been published and may be used in attacks.

Details

CWE(s)
CWE-77CWE-78

Affected Products

Totolink
A7100RU
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-2175Shared CWE-77, CWE-78
CVE-2026-2210Shared CWE-77, CWE-78
CVE-2026-2260Shared CWE-77, CWE-78
CVE-2026-2081Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2025-1829Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-5995Shared CWE-77, CWE-78

References