CVE-2026-5997
Published April 10, 2026 · Updated April 10, 2026
What This Means
CVE-2026-5997 is a critical remote command injection vulnerability found in the Totolink A7100RU router firmware version 7.4cu.2313_b20191024. The issue lies within the `setLoginPasswordCfg` function, where improper handling of the `admpass` argument allows attackers to execute arbitrary operating system commands remotely. To mitigate this risk, immediately update the firmware to a patched version, if available, or implement network-level controls to restrict access to the device.
Official Description+
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-5997.