CVE-2026-5994 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 13, 2026
Totolink A7100RU - Command Injection
Overview
Totolink A7100RU 7.4cu.2313_b20191024 contains a command injection caused by manipulation of the "telnet_enabled" argument in /cgi-bin/cstecgi.cgi's setTelnetCfg function, letting remote attackers execute OS commands, exploit requires no special privileges.
Severity & Score
Impact
Remote attackers can execute arbitrary OS commands, potentially leading to full system compromise.
Mitigation
Update to the latest version or apply vendor patches addressing this issue.
References
Social Media Activity(2 posts)
ā ļø CVE-2026-5994: CRITICAL OS command injection in Totolink A7100RU (7.4cu.2313_b20191024). Remote attackers can run OS commands via setTelnetCfg. No patch yet; public exploit released. Restrict access & monitor traffic. https://radar.offseq.com/threat/cve-2026-5994-os-command-injection-in-totolink-a71-2d1c7675 #OffSeq #Vuln #RouterSecurity
View original post
š“ CVE-2026-5994 - Critical (9.8) A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled resu... š https://www.thehackerwire.com/vulnerability/CVE-2026-5994/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-5994
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- unconfirmed
- EPSS
- 89.2%
- Social Posts
- 2
CWE
- CWE-77
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H