CVE-2026-5995
Published: 10 April 2026
Summary
CVE-2026-5995 is a critical-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of the lan_info argument in the vulnerable setMiniuiHomeInfoShow CGI function.
Mandates timely identification, reporting, and correction of the specific command injection flaw in the Totolink router firmware.
Restricts the lan_info input to organization-defined safe values, blocking injection of arbitrary OS commands via the CGI handler.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-5995 enables remote unauthenticated OS command injection via a public-facing router CGI handler, directly facilitating T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) execution.
NVD Description
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument lan_info can lead to os command injection. The attack may be…
more
performed from remote. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-5995 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue lies in the setMiniuiHomeInfoShow function of the /cgi-bin/cstecgi.cgi CGI handler component, where manipulation of the lan_info argument enables injection of arbitrary operating system commands. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection).
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it critically severe due to its network accessibility, low complexity, lack of required privileges or user interaction, and potential for high impacts on confidentiality, integrity, and availability. Remote unauthenticated attackers can exploit it over the network to execute arbitrary OS commands, achieving full device compromise.
Advisories and exploit details are documented on VulDB (vuln/356549 and related pages) and a GitHub repository at Litengzheng/vuldb_new/blob/main/A7100RU/vul_167/README.md. The vendor site is available at totolink.net, but specific patch or mitigation guidance is not outlined in the disclosure.
The exploit has been publicly released, heightening the risk of active exploitation against unpatched Totolink A7100RU devices.
Details
- CWE(s)