External risk intelligence

TOTOLINK N200RE V5 allows attackers to take control of devices over the internet.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-36841

TOTOLINK N200RE V5 has a critical flaw letting attackers take full control of your router over the internet without needing a password, potentially impacting all connected devices.

4Halo Surface Signal

Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-36841

The vulnerability resides in the web management interface of a router. Although typically accessed from a local network, such interfaces are commonly deployed as externally reachable management surfaces, either by user intent for remote administration or via misconfiguration, making them a frequent target for internet-based attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical issue in TOTOLINK N200RE V5 allows an unauthenticated attacker to inject and execute arbitrary commands on the device. This could lead to a complete compromise of the router, affecting its normal operations and potentially any devices connected to it.

  • Commands can be run remotely.
  • Affects network devices.
  • Likely targets network control.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to the router's web interface. The flaw allows arbitrary command execution on the device, enabling an attacker to take full control of the router and potentially use it as a pivot point for further network intrusion.

  • No authentication required.
  • Targets web interface.
  • Exploits specific function parameters.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in TOTOLINK N200RE V5 allows unauthenticated command injection, a serious threat that attackers often favor. Such flaws can grant immediate control over devices, enabling them to be incorporated into botnets or used as pivots for further network compromise. The public availability of exploit details further increases its attractiveness.

  • Exploitation is likely.
  • Public exploit exists.
  • Recent vulnerability discovery.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking traffic to affected TOTOLINK N200RE V5 devices and consider taking them offline if they are externally accessible. Investigate logs for signs of command injection attempts, focusing on the `macstr` and `bandstr` parameters.

  • Block affected devices from network access.
  • Monitor for exploitation activity.
  • Investigate for known exploits.

Frequently asked questions

What is TOTOLINK N200RE V5 and its general use case?

TOTOLINK N200RE V5 is a network device, often functioning as a wireless router. It is utilized to establish and manage local networks, facilitating internet access sharing among multiple connected devices within a home or office environment.

What is CVE-2026-36841 and its associated weakness classification?

CVE-2026-36841 identifies a critical command injection vulnerability within the TOTOLINK N200RE V5. This weakness, classified as CWE-77, permits an attacker to execute unintended commands on the device, potentially leading to a loss of control.

How can the command injection vulnerability in TOTOLINK N200RE V5 be triggered?

The command injection vulnerability is triggered through the `macstr` and `bandstr` parameters within the `formMapDelDevice` function. Attackers can exploit this by sending malformed requests to the device's web management interface without requiring any authentication.

What is the relevance of CVE-2026-36841 given its nature and discovery?

The relevance of CVE-2026-36841 stems from its critical nature, allowing unauthenticated command injection which is a favored technique for attackers. The public availability of exploit details, coupled with its recent discovery, increases the likelihood of its exploitation for malicious purposes such as device compromise or inclusion in botnets. The Halo Surface Signal indicates a likely risk due to the nature of router web interfaces often being externally accessible.

What immediate actions should be taken regarding the TOTOLINK N200RE V5 vulnerability?

To mitigate the risk, it is recommended to immediately block external network traffic to affected TOTOLINK N200RE V5 devices. If externally accessible, consider isolating them from the network. Monitor system logs for any indications of command injection attempts, specifically looking for activity related to the `macstr` and `bandstr` parameters.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished