Skip to main content

A3600R EUVDEUVD-2026-16961

| CVE-2026-5020 LOW
Command Injection (CWE-77)
2026-03-29 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Mar 30, 2026 - 19:01 vuln.today
Public exploit code
EUVD ID Assigned
Mar 29, 2026 - 01:00 euvd
EUVD-2026-16961
Analysis Generated
Mar 29, 2026 - 01:00 vuln.today
CVE Published
Mar 29, 2026 - 00:30 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.

AnalysisAI

Command injection in Totolink A3600R firmware 4.1.2cu.5182_B20201102 allows authenticated remote attackers to execute arbitrary commands via the NoticeUrl parameter in the setNoticeCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.3 (low-to-medium severity) but is confirmed by publicly available exploit code, making it an active threat to deployed devices despite the authentication requirement.

Technical ContextAI

The vulnerability exists in the Parameter Handler component of the Totolink A3600R router's web interface. The setNoticeCfg function fails to properly sanitize user-supplied input in the NoticeUrl parameter before passing it to system command execution, violating CWE-77 (Improper Neutralization of Special Elements used in a Command). The web-accessible CGI script /cgi-bin/cstecgi.cgi processes this parameter without input validation, allowing an authenticated user to inject shell metacharacters and execute arbitrary operating system commands on the router with the privileges of the CGI process.

RemediationAI

Apply the latest firmware patch released by Totolink for the A3600R model, available at https://www.totolink.net/. If an updated firmware version with a build number later than 5182_B20201102 is available, download and flash it via the router's web interface or management console following Totolink's official upgrade procedures. As an interim mitigation, restrict access to the router's web management interface to trusted IP addresses only using firewall rules or router ACLs, and ensure all administrative accounts use strong, unique passwords to reduce the risk of credential compromise. Additionally, disable remote management features if not actively required.

Share

EUVD-2026-16961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy