Cyber Resilience

CVE-2026-5996

HighRCE

Published: 10 April 2026

Published
10 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0182 76.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5996 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A security vulnerability identified as CVE-2026-5996 affects the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. It resides in the setAdvancedInfoShow function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the tty_server argument enables OS command injection as indicated by the associated CWE-77 and CWE-78 classifications.

The flaw can be exploited remotely by unauthenticated attackers to execute arbitrary operating system commands on the device, potentially leading to full compromise of the affected router. The vulnerability carries a CVSS score of 8.9 and has had its exploit details publicly disclosed, with the attack vector requiring no user interaction or privileges.

Reference materials include a GitHub repository containing vulnerability details, multiple Vuldb entries, and the vendor website for Totolink, though no specific mitigation guidance or patch information is provided in the available sources. The EPSS score shows a current value of 0.0122 with a peak of 0.0125, indicating limited exploitation interest to date.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible…

more

to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote OS command injection via public-facing router web CGI enables exploitation of public-facing application (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-7121Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78
CVE-2026-2063Shared CWE-77, CWE-78
CVE-2026-2847Shared CWE-77, CWE-78

Affected Assets

Totolink
A7100RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization checks before any unauthenticated remote caller can invoke setAdvancedInfoShow or pass the tty_server argument.

prevent

Requires validation and sanitization of the tty_server input to block the OS command injection that CWE-77/78 permits.

AC-17 Remote Access partial match
prevent

Restricts remote access to the router's management CGI interface, reducing the attack surface for unauthenticated exploitation.

References