Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.
AnalysisAI
Remote unauthenticated command injection in TOTOLINK N200RE V5 router allows complete device compromise via formMapDelDevice function. Attackers can execute arbitrary OS commands by injecting malicious payloads into the macstr or bandstr parameters with no authentication required (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). Public proof-of-concept code exists per SSVC framework (exploitation: poc), making this immediately weaponizable against internet-facing devices. EPSS data unavailable, but CVSS vector and POC availability indicate critical real-world risk for consumer routers with default configurations exposed to the internet.
Technical ContextAI
This vulnerability exploits improper neutralization of special elements used in OS commands (CWE-77) within the formMapDelDevice function of TOTOLINK N200RE V5 router firmware. The function processes macstr (MAC address string) and bandstr (bandwidth/band string) parameters without adequate input sanitization, allowing shell metacharacters to break out of the intended command context. Consumer routers like the N200RE typically run embedded Linux with lightweight web interfaces (often CGI-based), where administrative functions invoke system commands directly. When user-supplied input from HTTP parameters is concatenated into shell commands without proper escaping or validation, attackers can inject arbitrary commands that execute with the privileges of the web server process, typically root on SOHO routers. The CPE data shows 'n/a' fields, indicating incomplete product identification in the NVD record, though the CVE description clearly identifies the specific product and version.
RemediationAI
Check TOTOLINK official support site for firmware updates addressing CVE-2026-36841 for the N200RE V5 model, though no vendor advisory or patched firmware version was identified in the provided data at time of analysis. Until a verified patch is released, implement these specific compensating controls with associated trade-offs: First, disable remote administration entirely via the web interface (typically under Administration > Remote Access settings), limiting management to local LAN only - this eliminates internet-based exploitation but requires physical proximity or VPN for administration. Second, if remote access is operationally required, restrict administrative interface access by source IP using the router's firewall rules to only trusted management networks - this reduces attack surface but requires static IPs and creates operational overhead. Third, place the N200RE behind a separate firewall appliance that does not expose the router's management interface to WAN - this adds defense in depth but requires additional hardware investment. Monitor TOTOLINK security advisories at the vendor website and the CVE reference repository at https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapDelDevice-CommandInjection for updates. Given TOTOLINK's historical patch cadence for end-of-life consumer products, replacement with actively supported hardware may be more reliable than waiting for a firmware fix.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26231