CVE-2026-5689

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024

Description The setNtpCfg() function within the '/cgi-bin/cstecgi.cgi' endpoint fails to properly neutralize special characters used in operating system commands when processing the tz parameter. This allows a remote attacker to bypass security restrictions and perform OS command injection, leading to the execution of arbitrary commands.

Recommendations As a temporary workaround, restrict access to the '/cgi-bin/cstecgi.cgi' endpoint or avoid using the tz parameter within the setNtpCfg() function until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.