This vulnerability is a remote OS command injection flaw in the CGI handler of affected Totolink A7100RU routers. Attackers can craft a malicious request to the setLoginPasswordCfg function, manipulating the admpass argument to inject arbitrary system commands. Successful exploitation allows unauthenticated remote attackers to gain full control of the affected router.
Remediation
This product is end-of-life and no official patch is available from the vendor. Organizations should replace affected devices with supported alternative router models. If immediate replacement is not possible, block public internet access to the router's management interface.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-5997 or https://vulners.com/cve/CVE-2026-5997. Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-5997 | https://github.com/search?q=CVE-2026-5997+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.