CVE-2026-5689
Received Received - Intake
OS Command Injection in Totolink A7100RU setNtpCfg Function

Publication date: 2026-04-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setNtpCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument tz results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5689
EUVD
EUVD-2026-19551
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a7100ru 7.4cu.2313_b20191024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Totolink A7100RU router firmware version 7.4cu.2313_b20191024, specifically in the function setNtpCfg within the file /cgi-bin/cstecgi.cgi.

The issue arises when the argument 'tz' is manipulated, leading to an operating system command injection vulnerability.

This means an attacker can remotely execute arbitrary OS commands on the device without any authentication.

The exploit for this vulnerability is publicly available.

Impact Analysis

Because this vulnerability allows remote OS command injection without authentication, an attacker can take control of the affected device.

Potential impacts include unauthorized access, disruption of network services, data interception or modification, and using the device as a foothold for further attacks within the network.

The vulnerability has a CVSS v3.1 base score of 7.3, indicating a high severity level.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart