CVE-2026-36841
Received Received - Intake
Command Injection Vulnerability in TOTOLINK N200RE V5 Router

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: MITRE

Description
TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-36841
EUVD
EUVD-2026-26231
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink n200re 5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in TOTOLINK N200RE V5 is a command injection issue. It occurs through the macstr and bandstr parameters in the formMapDelDevice function, allowing an attacker to inject and execute arbitrary commands on the device.

Impact Analysis

This command injection vulnerability can allow an attacker to execute arbitrary commands on the affected device, potentially leading to unauthorized control, data compromise, or disruption of device functionality.

Executive Summary

CVE-2026-36841 is a command injection vulnerability found in the TOTOLINK N200RE V5 router, specifically in the cstecgi service interface.

The vulnerability occurs because the formMapDelDevice function does not properly sanitize user inputs in the macstr and bandstr parameters. These parameters are concatenated into system commands using sprintf and then executed via the system function.

As a result, an authenticated attacker can send specially crafted requests to the formMapDelDevice endpoint to execute arbitrary system commands with the privileges of the vulnerable service.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary system commands on the affected device.

  • Complete compromise of the router, including unauthorized access to network traffic and device settings.
  • Potential disruption of network services or denial of service by executing harmful commands.
  • Attackers could use the compromised device as a foothold to launch further attacks within the network.

The CVSS v3.1 base score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious requests to the formMapDelDevice endpoint on the TOTOLINK N200RE V5 router, especially those containing the macstr and bandstr parameters.

Since the vulnerability involves command injection via these parameters, you can look for unusual or malformed input in HTTP requests targeting the cstecgi service interface.

A practical detection method is to capture and analyze network traffic for POST or GET requests to the formMapDelDevice endpoint that include suspicious payloads in macstr or bandstr.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the vulnerable endpoint.
  • Example tcpdump command to capture traffic to the router's IP on port 80 or 443: tcpdump -i <interface> host <router_ip> and port 80 or port 443 -w capture.pcap
  • Use curl or similar tools to test the endpoint with benign and crafted inputs to see if the system executes commands unexpectedly.
  • Example curl command to test the endpoint (replace <router_ip>): curl -X POST http://<router_ip>/cstecgi/formMapDelDevice -d "macstr=test&bandstr=test"
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable cstecgi service interface to trusted users only, such as by limiting network access or using firewall rules.

Avoid exposing the TOTOLINK N200RE V5 router's management interface to untrusted networks or the internet.

If possible, disable or restrict the formMapDelDevice functionality until a patch or update is available.

Monitor logs and network traffic for suspicious activity targeting the macstr and bandstr parameters.

Apply any available firmware updates or patches from the vendor addressing this vulnerability as soon as they are released.

Compliance Impact

The CVE-2026-36841 vulnerability allows attackers to execute arbitrary system commands on the TOTOLINK N200RE V5 router due to improper input sanitization in the formMapDelDevice function. This can lead to unauthorized access, data breaches, and potential disruption of services.

Such unauthorized access and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability.

Specifically, a high-severity command injection vulnerability (CVSS 9.8) that allows full control over the device could result in violations of data protection requirements, incident reporting obligations, and security controls mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart