{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5676/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5676"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5676","authentication-bypass","totolink"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5676 is an authentication bypass vulnerability affecting Totolink A8000R routers with firmware version 5.9c.681_B20180413. The vulnerability resides in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file, specifically within the \u003ccode\u003esetLanguageCfg\u003c/code\u003e function. By manipulating the \u003ccode\u003elangType\u003c/code\u003e argument, an attacker can bypass authentication checks, potentially gaining unauthorized access to sensitive router functionalities. This vulnerability can be exploited remotely without requiring any prior authentication. A public exploit is available, increasing the likelihood of exploitation. Defenders should prioritize detection and patching of this vulnerability to prevent unauthorized access and control of affected devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Totolink A8000R router running firmware 5.9c.681_B20180413.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request targets the \u003ccode\u003esetLanguageCfg\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe request includes a manipulated \u003ccode\u003elangType\u003c/code\u003e argument designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esetLanguageCfg\u003c/code\u003e function processes the request without proper authentication checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to router configuration settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies sensitive settings such as DNS, routing rules, or firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full control of the router, potentially using it for malicious purposes like eavesdropping, traffic redirection, or botnet activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5676 allows a remote, unauthenticated attacker to gain full control of the affected Totolink A8000R router. This can lead to a variety of malicious activities, including unauthorized access to the local network, data theft, DNS hijacking, and the use of the router as part of a botnet. The potential number of affected devices is substantial, as the A8000R model is widely used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect malicious HTTP requests targeting the vulnerable \u003ccode\u003esetLanguageCfg\u003c/code\u003e function (see \u0026ldquo;Detect Totolink A8000R Authentication Bypass Attempt\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with unusual \u003ccode\u003elangType\u003c/code\u003e parameters (see \u0026ldquo;Detect Totolink A8000R Authentication Bypass Attempt\u0026rdquo; rule below).\u003c/li\u003e\n\u003cli\u003eUpgrade the firmware of Totolink A8000R routers to a patched version that addresses CVE-2026-5676 (consult the vendor\u0026rsquo;s website for updates).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router on other devices on the network.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T19:16:30Z","date_published":"2026-04-06T19:16:30Z","id":"/briefs/2026-04-totolink-auth-bypass/","summary":"A remote, unauthenticated attacker can bypass authentication on Totolink A8000R routers running firmware version 5.9c.681_B20180413 by manipulating the `langType` argument in the `setLanguageCfg` function of the `/cgi-bin/cstecgi.cgi` file.","title":"Totolink A8000R Authentication Bypass Vulnerability (CVE-2026-5676)","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5676","version":"https://jsonfeed.org/version/1.1"}