CVE-2026-5994
Published: 10 April 2026
Summary
CVE-2026-5994 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
The vulnerability can be exploited remotely by unauthenticated attackers who supply crafted input to the telnet_enabled parameter, potentially allowing execution of arbitrary operating system commands on the device. A public exploit has been made available, increasing the risk of attacks against exposed devices.
The exploitation probability remains low according to EPSS metrics, with a current score of 0.0122 and a peak of 0.0125, showing no significant increase post-disclosure. References point to detailed vulnerability reports on Vuldb and a GitHub repository, along with the vendor's website for further information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21270
Vulnerability details
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is…
more
possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing router CGI directly enables exploitation of public-facing application (T1190) and facilitates arbitrary command execution on network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the telnet_enabled argument in setTelnetCfg to block crafted OS command payloads before execution.
Enforces access-control decisions on the CGI handler so unauthenticated remote callers cannot invoke setTelnetCfg at all.
Restricts remote network access to the device's management interface, reducing exposure of the vulnerable /cgi-bin/cstecgi.cgi endpoint.