Skip to main content

TOTOLINK N200RE CVE-2026-36841

| EUVDEUVD-2026-26231 CRITICAL
Command Injection (CWE-77)
2026-04-29 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 29, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 29, 2026 - 21:22 vuln.today
CVSS changed
Apr 29, 2026 - 21:22 NVD
9.8 (None) 9.8 (CRITICAL)
EUVD ID Assigned
Apr 29, 2026 - 14:45 euvd
EUVD-2026-26231
Analysis Generated
Apr 29, 2026 - 14:45 vuln.today
CVE Published
Apr 29, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.

AnalysisAI

Remote unauthenticated command injection in TOTOLINK N200RE V5 router allows complete device compromise via formMapDelDevice function. Attackers can execute arbitrary OS commands by injecting malicious payloads into the macstr or bandstr parameters with no authentication required (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). Public proof-of-concept code exists per SSVC framework (exploitation: poc), making this immediately weaponizable against internet-facing devices. EPSS data unavailable, but CVSS vector and POC availability indicate critical real-world risk for consumer routers with default configurations exposed to the internet.

Technical ContextAI

This vulnerability exploits improper neutralization of special elements used in OS commands (CWE-77) within the formMapDelDevice function of TOTOLINK N200RE V5 router firmware. The function processes macstr (MAC address string) and bandstr (bandwidth/band string) parameters without adequate input sanitization, allowing shell metacharacters to break out of the intended command context. Consumer routers like the N200RE typically run embedded Linux with lightweight web interfaces (often CGI-based), where administrative functions invoke system commands directly. When user-supplied input from HTTP parameters is concatenated into shell commands without proper escaping or validation, attackers can inject arbitrary commands that execute with the privileges of the web server process, typically root on SOHO routers. The CPE data shows 'n/a' fields, indicating incomplete product identification in the NVD record, though the CVE description clearly identifies the specific product and version.

RemediationAI

Check TOTOLINK official support site for firmware updates addressing CVE-2026-36841 for the N200RE V5 model, though no vendor advisory or patched firmware version was identified in the provided data at time of analysis. Until a verified patch is released, implement these specific compensating controls with associated trade-offs: First, disable remote administration entirely via the web interface (typically under Administration > Remote Access settings), limiting management to local LAN only - this eliminates internet-based exploitation but requires physical proximity or VPN for administration. Second, if remote access is operationally required, restrict administrative interface access by source IP using the router's firewall rules to only trusted management networks - this reduces attack surface but requires static IPs and creates operational overhead. Third, place the N200RE behind a separate firewall appliance that does not expose the router's management interface to WAN - this adds defense in depth but requires additional hardware investment. Monitor TOTOLINK security advisories at the vendor website and the CVE reference repository at https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapDelDevice-CommandInjection for updates. Given TOTOLINK's historical patch cadence for end-of-life consumer products, replacement with actively supported hardware may be more reliable than waiting for a firmware fix.

Share

CVE-2026-36841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy