Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Totolink A3600R router's notice settings are vulnerable to remote command injection
CVE-2026-5020
Summary
A security flaw in the Totolink A3600R router's settings system allows an attacker to execute arbitrary commands on the router from anywhere. This means an attacker could potentially take control of the router or disrupt its operation. To protect your network, update the router to the latest firmware version as soon as possible.
Original title
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The ...
Original description
A vulnerability was detected in Totolink A3600R 4.1.2cu.5182_B20201102. Affected by this issue is the function setNoticeCfg of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. The manipulation of the argument NoticeUrl results in command injection. The attack may be launched remotely. The exploit is now public and may be used.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-77
Command Injection
Published: 29 Mar 2026 · Updated: 29 Mar 2026 · First seen: 29 Mar 2026