Description
TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.
Published: 2026-04-29
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the TOTOLINK N200RE V5 firmware lies in the formMapDelDevice function, where the macstr and bandstr parameters are used without proper validation. This flaw allows an attacker that can supply values to those parameters to inject arbitrary operating‑system commands into the router. The consequence is that the attacker could gain control over the device, modify its configuration, exfiltrate data, or render it unavailable, representing a severe compromise of confidentiality, integrity, and availability. The weakness conforms to CWE‑77, command injection.

Affected Systems

Devices running the TOTOLINK N200RE V5 firmware that expose the formMapDelDevice management interface are affected. No further version limits are provided beyond the V5 designation.

Risk and Exploitability

The CVSS score of 9.8 marks this as a critical vulnerability. The EPSS score is less than 1%, indicating a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Because the exposed parameters appear to be accessible without any mention of authentication controls, the lack of an authentication requirement is inferred from the description; an attacker with network reachability to the router’s management interface could exploit this flaw, potentially executing arbitrary code on the device.

Generated by OpenCVE AI on May 2, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict or block network access to the formMapDelDevice endpoint using firewall rules or router configuration settings.
  • Ensure the device is isolated from public or untrusted networks; only allow trusted administrative networks to reach its management interface.
  • Monitor device logs for anomalous command execution attempts and review for potential exploitation.

Generated by OpenCVE AI on May 2, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Command Injection via formMapDelDevice Parameters in TOTOLINK N200RE V5

Thu, 30 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Command Injection in TOTOLINK N200RE V5 formMapDelDevice Function
Weaknesses CWE-78

Thu, 30 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink
Totolink n200re-v5
Vendors & Products Totolink
Totolink n200re-v5

Wed, 29 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Title Command Injection in TOTOLINK N200RE V5 formMapDelDevice Function
Weaknesses CWE-78

Wed, 29 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function.
References

Subscriptions

Totolink N200re-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T20:28:26.618Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36841

cve-icon Vulnrichment

Updated: 2026-04-29T20:26:16.554Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T15:16:05.643

Modified: 2026-04-29T21:22:20.120

Link: CVE-2026-36841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses