This is an unauthenticated remote OS command injection vulnerability in the CGI handler of affected Totolink A7100RU firmware. The flaw exists in the setAdvancedInfoShow function, where the tty_server argument is not properly sanitized before being used in OS command execution. Attackers can exploit this issue to execute arbitrary commands and fully compromise the device.
Remediation
No official security patch is available for this end-of-life product. Organizations should replace any affected devices with currently supported hardware. Restrict access to the management interface from untrusted networks as a temporary mitigation.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-5996 or https://vulners.com/cve/CVE-2026-5996. Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-5996 | https://github.com/search?q=CVE-2026-5996+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.