CVE-2026-36841
Command Injection Vulnerability in TOTOLINK N200RE V5 Router
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | n200re | 5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-36841 vulnerability allows attackers to execute arbitrary system commands on the TOTOLINK N200RE V5 router due to improper input sanitization in the formMapDelDevice function. This can lead to unauthorized access, data breaches, and potential disruption of services.
Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability.
Specifically, a high-severity command injection vulnerability (CVSS 9.8) that allows full control over the device could result in violations of data protection requirements, incident reporting obligations, and security controls mandated by these regulations.
Can you explain this vulnerability to me?
The vulnerability in TOTOLINK N200RE V5 is a command injection issue. It occurs through the macstr and bandstr parameters in the formMapDelDevice function, allowing an attacker to inject and execute arbitrary commands on the device.
How can this vulnerability impact me? :
This command injection vulnerability can allow an attacker to execute arbitrary commands on the affected device, potentially leading to unauthorized control, data compromise, or disruption of device functionality.
Can you explain this vulnerability to me?
CVE-2026-36841 is a command injection vulnerability found in the TOTOLINK N200RE V5 router, specifically in the cstecgi service interface.
The vulnerability occurs because the formMapDelDevice function does not properly sanitize user inputs in the macstr and bandstr parameters. These parameters are concatenated into system commands using sprintf and then executed via the system function.
As a result, an authenticated attacker can send specially crafted requests to the formMapDelDevice endpoint to execute arbitrary system commands with the privileges of the vulnerable service.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary system commands on the affected device.
- Complete compromise of the router, including unauthorized access to network traffic and device settings.
- Potential disruption of network services or denial of service by executing harmful commands.
- Attackers could use the compromised device as a foothold to launch further attacks within the network.
The CVSS v3.1 base score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious requests to the formMapDelDevice endpoint on the TOTOLINK N200RE V5 router, especially those containing the macstr and bandstr parameters.
Since the vulnerability involves command injection via these parameters, you can look for unusual or malformed input in HTTP requests targeting the cstecgi service interface.
A practical detection method is to capture and analyze network traffic for POST or GET requests to the formMapDelDevice endpoint that include suspicious payloads in macstr or bandstr.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the vulnerable endpoint.
- Example tcpdump command to capture traffic to the router's IP on port 80 or 443: tcpdump -i <interface> host <router_ip> and port 80 or port 443 -w capture.pcap
- Use curl or similar tools to test the endpoint with benign and crafted inputs to see if the system executes commands unexpectedly.
- Example curl command to test the endpoint (replace <router_ip>): curl -X POST http://<router_ip>/cstecgi/formMapDelDevice -d "macstr=test&bandstr=test"
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable cstecgi service interface to trusted users only, such as by limiting network access or using firewall rules.
Avoid exposing the TOTOLINK N200RE V5 router's management interface to untrusted networks or the internet.
If possible, disable or restrict the formMapDelDevice functionality until a patch or update is available.
Monitor logs and network traffic for suspicious activity targeting the macstr and bandstr parameters.
Apply any available firmware updates or patches from the vendor addressing this vulnerability as soon as they are released.