CVE-2026-5030

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Totolink NR1800X version 9.1.0u.6279 B20210910

Description A command injection issue exists in the Telnet Service component of Totolink NR1800X. The issue is located in the NTPSyncWithHost function within the /cgi-bin/cstecgi.cgi file. Manipulation of the host time argument can lead to command injection. The attack can be initiated remotely and the exploit has been publicly disclosed.

Recommendations Totolink NR1800X version 9.1.0u.6279 B20210910: As a temporary workaround, consider disabling the Telnet Service to minimize the risk of exploitation. Avoid using the host time argument in the /cgi-bin/cstecgi.cgi file until the issue is resolved.

Exploit

Fix

Special Elements Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-77

Related Identifiers

CVE-2026-5030

Affected Products

Totolink Nr1800X

CVE-2026-5030

Weakness Enumeration

Related Identifiers

Affected Products

References · 9