Platform
other
Component
totolink-a3600r-firmware
Fixed in
4.1.3
CVE-2026-5020 describes a Command Injection vulnerability discovered in the Totolink A3600R router's firmware. This flaw allows attackers to execute arbitrary commands on the device through manipulation of the NoticeUrl parameter within the /cgi-bin/cstecgi.cgi file. The vulnerability impacts firmware versions 4.1.2cu.5182–4.1.2cu.5182 and is now publicly known with a proof-of-concept available, requiring immediate attention.
Successful exploitation of CVE-2026-5020 grants an attacker complete control over the affected Totolink A3600R router. This includes the ability to modify router configurations, intercept network traffic, install malware, and potentially pivot to other devices on the network. Given the router's role as a gateway, a compromised device can serve as a launchpad for broader network attacks. The public availability of a proof-of-concept significantly increases the risk of exploitation, particularly in environments with unpatched devices. The potential blast radius extends to all devices behind the compromised router.
CVE-2026-5020 is a publicly known vulnerability with a proof-of-concept available, indicating a high likelihood of exploitation. While no confirmed exploitation campaigns have been publicly reported as of the publication date, the ease of exploitation and public availability of the PoC make it a significant risk. The vulnerability was disclosed on 2026-03-29. The CVSS score of 6.3 (Medium) reflects the potential impact and relatively easy exploitability.
Exploit Status
EPSS
1.55% (81% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5020 is to upgrade the Totolink A3600R firmware to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These include deploying a Web Application Firewall (WAF) with rules to filter malicious input targeting the /cgi-bin/cstecgi.cgi endpoint, specifically blocking attempts to inject commands via the NoticeUrl parameter. Additionally, restrict access to the router's management interface to trusted networks and users. After applying any mitigation, verify its effectiveness by attempting to trigger the vulnerability with a controlled payload and confirming that the command injection is prevented.
Update the Totolink A3600R router firmware to a version later than 4.1.2cu.5182_B20201102 to fix the command injection (command injection) vulnerability. Refer to the vendor's website for the latest firmware version and update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5020 is a Command Injection vulnerability in the Totolink A3600R router's firmware, allowing attackers to execute commands remotely via the NoticeUrl parameter.
You are affected if your Totolink A3600R router is running firmware version 4.1.2cu.5182–4.1.2cu.5182 and has not been updated.
Upgrade your Totolink A3600R firmware to a patched version as soon as it's available. Until then, implement WAF rules or restrict access to the management interface.
While no confirmed exploitation campaigns are publicly reported, the public availability of a proof-of-concept suggests a high likelihood of exploitation.
Please refer to the Totolink website or security advisories for the latest information and official advisory regarding CVE-2026-5020.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.