Login Sign Up

CVE-2026-1327

6.3 MEDIUM
Remote Code Execution

📋 TL;DR

This CVE describes a remote command injection vulnerability in Totolink NR1800X routers. Attackers can execute arbitrary commands on affected devices by sending specially crafted POST requests to the vulnerable endpoint. This affects users running the vulnerable firmware version on NR1800X routers.

💻 Affected Systems

Products:
  • Totolink NR1800X
Versions: 9.1.0u.6279_B20210910
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface accessible via HTTP/HTTPS. The vulnerability is in the POST request handler for traceroute configuration.

📦 What is this software?

Nr1800x Firmware by Totolink

View all CVEs affecting Nr1800x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with router privileges, potentially leading to persistent backdoors, network pivoting, or device bricking.

🟠

Likely Case

Attackers gain command execution on the router, enabling them to modify configurations, intercept traffic, or use the device as part of a botnet.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in disclosed references. Attack requires network access to the router's web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.totolink.net/

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates. 2. Download latest firmware. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to router management interface to trusted IP addresses only

Disable Remote Management

all

Disable web interface access from WAN/Internet

🧯 If You Can't Patch

  • Isolate router on separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious POST requests to /cgi-bin/cstecgi.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin interface under System Status or About page

Check Version:

curl -s http://router-ip/cgi-bin/cstecgi.cgi | grep -i version

Verify Fix Applied:

Verify firmware version is newer than 9.1.0u.6279_B20210910

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/cstecgi.cgi
  • Commands with shell metacharacters in request parameters

Network Indicators:

  • POST requests to /cgi-bin/cstecgi.cgi with command injection payloads
  • Outbound connections from router to unexpected destinations

SIEM Query:

source="router_logs" AND uri="/cgi-bin/cstecgi.cgi" AND (method="POST" OR params CONTAINS "command=")

📊 Metadata

CVE ID: CVE-2026-1327
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.55% exploit probability (67.5th percentile)
Published: January 22, 2026
Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1327, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)