Cyber Posture

CVE-2026-5850

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument pptpPassThru leads to os command injection. Remote exploitation of the attack is possible.…

more

The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the OS command injection vulnerability in the setVpnPassCfg function of /cgi-bin/cstecgi.cgi through timely patching of the Totolink A7100RU firmware.

SI-10 Information Input Validation good match
prevent

Validates the pptpPassThru argument to prevent manipulation leading to OS command injection in the vulnerable CGI handler.

SC-7 Boundary Protection partial match
prevent

Controls network access to the exposed web management interface, mitigating remote unauthenticated exploitation of the command injection vulnerability.

Security SummaryAI

CVE-2026-5850 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue resides in the setVpnPassCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the pptpPassThru argument enables command injection. Published on 2026-04-09, it is associated with CWE-77 and CWE-78.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation grants high impacts on confidentiality, integrity, and availability, earning a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), potentially allowing arbitrary command execution on the device.

Advisories on VULDB (including vuln/356376 and submit/791266) document the issue, while a GitHub repository at Litengzheng/vuldb_new provides a publicly available exploit. The Totolink vendor website at totolink.net should be consulted for any firmware updates or mitigation guidance.

The public availability of the exploit increases the risk of real-world attacks against unpatched Totolink A7100RU devices.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) leading to OS command injection on Unix-based router firmware (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References