Scan free
HIGHCVE-2026-5689CVSS 7.3

CVE-2026-5689: Command Injection in Totolink A7100RU

Platform

linux

Component

totolink-a7100ru

Fixed in

7.4.1

AI Confidence: highNVDEPSS 4.9%Reviewed: Apr 2026
View on NVD
Save

CVE-2026-5689 represents a Command Injection vulnerability discovered in the Totolink A7100RU router. This flaw allows an attacker to execute arbitrary operating system commands on the device, potentially leading to complete system compromise. The vulnerability affects versions 7.4cu.2313_b20191024. Due to the public nature of the exploit and lack of a patch, immediate action is recommended.

Impact and Attack Scenarios

A command injection vulnerability has been detected in the Totolink A7100RU router, specifically affecting version 7.4cu.2313_b20191024. This vulnerability resides within the setNtpCfg function of the /cgi-bin/cstecgi.cgi file. A remote attacker can exploit this flaw by manipulating the tz argument, allowing them to execute arbitrary operating system commands on the device. The vulnerability is rated as 7.3 on the CVSS scale, indicating a moderately high risk. The public availability of the exploit exacerbates the situation, making it easier for malicious actors to utilize it. The absence of an official fix (fix: none) necessitates proactive preventative measures from users.

Exploitation Context

CVE-2026-5689 allows for remote code execution on the Totolink A7100RU. An attacker can send a specially crafted HTTP request to /cgi-bin/cstecgi.cgi, manipulating the tz parameter to inject operating system commands. These commands will execute with the privileges of the router's web process, potentially allowing the attacker to gain full control of the device. The public exploit means attackers now have a proven tool to exploit this vulnerability, significantly increasing the risk of targeted attacks. Insufficient authentication within the setNtpCfg function is the root cause of this vulnerability.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

4.86% (90% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R7.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componenttotolink-a7100ru
VendorTotolink
Affected rangeFixed in
7.4cu.2313_b20191024 – 7.4cu.2313_b201910247.4.1

Weakness Classification (CWE)

CWE-78CWE-77

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 48 days since disclosure

Mitigation and Workarounds

Given the lack of an official patch to address this vulnerability, Totolink A7100RU users running version 7.4cu.2313_b20191024 are strongly advised to take immediate steps to protect their networks. These measures include, but are not limited to, changing the router's default password to a strong, unique password, disabling remote access to the router's administration interface if not required, and monitoring network activity for signs of intrusion. Considering replacing the router with a model offering updated security support is a long-term option. The absence of a patch makes mitigation more complex and reliant on robust security practices.

How to fix

Actualice el firmware del router Totolink A7100RU a una versión corregida por el fabricante.  Consulte el sitio web de Totolink o contacte con el soporte técnico para obtener la última versión disponible.  Esta vulnerabilidad permite la ejecución remota de código, por lo que es crucial aplicar la actualización lo antes posible.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5689 — Command Injection in Totolink A7100RU Router?

It's a unique identifier for this vulnerability, used to track and reference it in security reports.

Am I affected by CVE-2026-5689 in Totolink A7100RU Router?

It's a type of vulnerability that allows an attacker to execute arbitrary commands on the underlying operating system of the device.

How do I fix CVE-2026-5689 in Totolink A7100RU Router?

Implement the recommended mitigation measures, such as changing the password and disabling remote access. Consider upgrading to a more secure firmware or replacing the router.

Is CVE-2026-5689 being actively exploited?

Currently, there is no official fix provided by Totolink (fix: none).

Where can I find the official Totolink A7100RU Router advisory for CVE-2026-5689?

KEV refers to 'Knowledge Environment Vulnerability'. In this case, it indicates that there is no specific knowledge environment for this vulnerability.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs