CVE-2026-5853

Critical

Published: 09 April 2026

Published

09 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack…

may be performed from remote. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the addrPrefixLen argument in the setIpv6LanCfg function to block OS command injection payloads.

SI-2 Flaw Remediation good match

prevent

Remediates the specific OS command injection flaw in the Totolink router's CGI handler through timely flaw remediation including firmware patching.

SC-2 Separation of System and User Functionality good match

prevent

Separates user-supplied addrPrefixLen input from system command execution in the CGI handler to prevent injection attacks.

Security SummaryAI

CVE-2026-5853 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The flaw resides in the setIpv6LanCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the addrPrefixLen argument enables command injection.

Attackers can exploit this vulnerability remotely without authentication or user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows arbitrary OS command execution, granting high-impact control over confidentiality, integrity, and availability of the affected device.

Advisories detail the issue on VulDB (vuln/356379 and related pages) and a GitHub repository at Litengzheng/vuldb_new, which includes the publicly disclosed exploit. The vendor site at totolink.net is referenced, but specific patch or mitigation guidance is not outlined in the disclosure.

The exploit has been publicly released and is available for use, with the vulnerability mapped to CWE-77 (Command Injection) and CWE-78 (OS Command Injection). It was published on 2026-04-09.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of public-facing web application (T1190) on router leading to arbitrary OS command execution via network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_159/README.md
cna@vuldb.com
https://vuldb.com/submit/791274
cna@vuldb.com
https://vuldb.com/vuln/356379
cna@vuldb.com
https://vuldb.com/vuln/356379/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com