CVE-2026-5996
Published: 10 April 2026
Summary
CVE-2026-5996 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security vulnerability identified as CVE-2026-5996 affects the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. It resides in the setAdvancedInfoShow function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the tty_server argument enables OS command injection as indicated by the associated CWE-77 and CWE-78 classifications.
The flaw can be exploited remotely by unauthenticated attackers to execute arbitrary operating system commands on the device, potentially leading to full compromise of the affected router. The vulnerability carries a CVSS score of 8.9 and has had its exploit details publicly disclosed, with the attack vector requiring no user interaction or privileges.
Reference materials include a GitHub repository containing vulnerability details, multiple Vuldb entries, and the vendor website for Totolink, though no specific mitigation guidance or patch information is provided in the available sources. The EPSS score shows a current value of 0.0122 with a peak of 0.0125, indicating limited exploitation interest to date.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21274
Vulnerability details
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible…
more
to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing router web CGI enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization checks before any unauthenticated remote caller can invoke setAdvancedInfoShow or pass the tty_server argument.
Requires validation and sanitization of the tty_server input to block the OS command injection that CWE-77/78 permits.
Restricts remote access to the router's management CGI interface, reducing the attack surface for unauthenticated exploitation.