CVE-2026-5852

Critical

Published: 09 April 2026

Published

09 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument igmpVer causes os command injection. The attack is possible to be carried…

out remotely. The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the OS command injection flaw in the Totolink A7100RU CGI handler to prevent exploitation of CVE-2026-5852.

SI-10 Information Input Validation good match

prevent

Mandates validation of the igmpVer argument in setIptvCfg to detect and reject command injection payloads before execution.

SI-9 Information Input Restrictions good match

prevent

Restricts igmpVer inputs to only valid IGMP version values, blocking arbitrary OS command injection attempts.

Security SummaryAI

CVE-2026-5852 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue affects the setIptvCfg function within the /cgi-bin/cstecgi.cgi file of the CGI handler component, where manipulation of the igmpVer argument enables arbitrary command execution. Classified under CWE-77 and CWE-78, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility, low complexity, and lack of prerequisites.

The vulnerability is remotely exploitable by unauthenticated attackers with network access to the device, requiring no user interaction. Successful exploitation allows attackers to execute arbitrary operating system commands, potentially leading to full compromise of the router with high impacts on confidentiality, integrity, and availability. A public exploit is available, increasing the risk of real-world attacks against exposed devices.

Advisories from VulDB detail the vulnerability and reference a GitHub repository containing an exploit README for the A7100RU. Additional VulDB entries provide submission and CTI context, while the Totolink vendor website is listed, though no specific patches or mitigations are detailed in the available references.

The exploit's public availability heightens the urgency for users of the affected Totolink A7100RU firmware to assess exposure and pursue updates where possible.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable OS command injection in a public-facing router CGI interface (T1190), directly enabling arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_158/README.md
cna@vuldb.com
https://vuldb.com/submit/791272
cna@vuldb.com
https://vuldb.com/vuln/356378
cna@vuldb.com
https://vuldb.com/vuln/356378/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com