Is there a public PoC exploit available for CVE-2026-5677?

Yes, a public proof-of-concept exploit is available for CVE-2026-5677. Prioritise patching immediately. EPSS: 2.4%.

A7100Ru CVE-2026-5677

Q: What is the CVSS score of CVE-2026-5677?

CVE-2026-5677 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 2.4%.

EUVD-2026-19436 MEDIUM

OS Command Injection (CWE-78)

2026-04-06 VulDB

Command Injection A7100Ru

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 06, 2026 - 19:00 euvd

EUVD-2026-19436

Analysis Generated

Apr 06, 2026 - 19:00 vuln.today

CVE Published

Apr 06, 2026 - 18:30 nvd

MEDIUM 6.9

DescriptionCVE.org

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument resetFlags results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Remote command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands via manipulation of the resetFlags parameter in the CsteSystem function (/cgi-bin/cstecgi.cgi). Publicly available exploit code exists for this vulnerability, which achieves a CVSS 6.9 score with low confidentiality, integrity, and availability impact across multiple scopes.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a moderate-to-high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies an internet-facing Totolink A7100RU device on port 80 or 443 and sends an HTTP request to /cgi-bin/cstecgi.cgi with a crafted POST/GET parameter containing shell metacharacters (e.g., resetFlags=test;malicious_command;) that breaks out of the intended command context. Because the CGI process does not validate or escape the input, the injected command executes with the privileges of the web service, potentially allowing the attacker to read sensitive configuration files, modify firewall rules, capture network traffic, or pivot to internal network hosts. …
Remediation	Immediate remediation requires upgrading the Totolink A7100RU to a patched firmware version released by Totolink after version 7.4cu.2313_b20191024; however, no specific fixed firmware version is confirmed in available data, and users should verify patch availability directly on the Totolink support website (https://www.totolink.net/). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5677 vulnerability details – vuln.today

Back