CVE-2026-5689
OS Command Injection in Totolink A7100RU setNtpCfg Function
Publication date: 2026-04-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7100ru | 7.4cu.2313_b20191024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Totolink A7100RU router firmware version 7.4cu.2313_b20191024, specifically in the function setNtpCfg within the file /cgi-bin/cstecgi.cgi.
The issue arises when the argument 'tz' is manipulated, leading to an operating system command injection vulnerability.
This means an attacker can remotely execute arbitrary OS commands on the device without any authentication.
The exploit for this vulnerability is publicly available.
How can this vulnerability impact me? :
Because this vulnerability allows remote OS command injection without authentication, an attacker can take control of the affected device.
Potential impacts include unauthorized access, disruption of network services, data interception or modification, and using the device as a foothold for further attacks within the network.
The vulnerability has a CVSS v3.1 base score of 7.3, indicating a high severity level.