Cyber Posture

CVE-2026-5851

Critical

Published: 09 April 2026

Published
09 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed…

more

remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating and sanitizing the 'enable' argument in the vulnerable setUPnPCfg CGI function.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific command injection flaw in the Totolink A7100RU firmware to eliminate exploitability.

SC-14 Public Access Protections good match
prevent

Implements protections for the publicly accessible, unauthenticated CGI handler endpoint vulnerable to remote command injection.

Security SummaryAI

CVE-2026-5851 is an OS command injection vulnerability (CWE-77, CWE-78) in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The flaw resides in the setUPnPCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the "enable" argument enables injection of operating system commands.

The vulnerability is remotely exploitable with no authentication required, low complexity, and no user interaction needed, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can execute arbitrary OS commands on the device, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full router compromise.

VulDB advisories document the issue at https://vuldb.com/vuln/356377 and https://vuldb.com/vuln/356377/cti, with a submission entry at https://vuldb.com/submit/791271. A public exploit is available on GitHub at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_157/README.md. The vendor site https://www.totolink.net/ provides general support but no specific mitigation details in the referenced materials.

The exploit has been publicly released, heightening the risk of active exploitation against unpatched Totolink A7100RU devices.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Unauthenticated remote OS command injection via public-facing router CGI endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059.008 (Network Device CLI) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References