Which versions of Totolink A7100RU are affected by CVE-2026-5994?

Totolink A7100RU routers running firmware 7.4cu.2313_b20191024 contain a critical remote command injection vulnerability accessible without authentication, allowing attackers to completely compromise…

Is there a public PoC exploit available for CVE-2026-5994?

Yes, a public proof-of-concept exploit is available for CVE-2026-5994. Prioritise patching immediately. EPSS: 0.9%.

Totolink A7100RU CVE-2026-5994

Q: What is the CVSS score of CVE-2026-5994?

CVE-2026-5994 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.9%.

EUVD-2026-21270 HIGH

OS Command Injection (CWE-78)

2026-04-10 VulDB

GHSA-3mg5-x6vg-3pmj

Command Injection

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 19:07 vuln.today

cvss_changed

PoC Detected

Apr 10, 2026 - 01:16 vuln.today

Public exploit code

EUVD ID Assigned

Apr 10, 2026 - 01:00 euvd

EUVD-2026-21270

Analysis Generated

Apr 10, 2026 - 01:00 vuln.today

CVE Published

Apr 10, 2026 - 00:30 nvd

HIGH 8.9

DescriptionNVD

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 via unauthenticated manipulation of telnet_enabled parameter in setTelnetCfg function. Critical CVSS 9.8 score reflects network-accessible attack requiring no authentication or user interaction, enabling full system compromise. …

RemediationAI

Within 24 hours: Identify all Totolik A7100RU routers in production via network scanning and asset inventory; isolate affected devices from critical network segments if possible. Within 7 days: Contact Totolik support for available firmware updates or workarounds; implement network-level restrictions (firewall rules, ACLs) to block unauthorized telnet access to affected routers. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-5994 vulnerability details – vuln.today

Back

Totolink A7100RU CVE-2026-5994

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Totolink A7100RU CVE-2026-5994

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code