CVE-2026-5851
Published: 09 April 2026
Summary
CVE-2026-5851 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-5851 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. It resides in the setUPnPCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the enable argument permits arbitrary command execution. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9.
The vulnerability can be exploited remotely by unauthenticated attackers over the network without user interaction. Successful exploitation grants full control over the device, allowing attackers to execute operating system commands that can compromise confidentiality, integrity, and availability of the router.
An exploit for the issue has been made public. The EPSS score remains flat at 0.0167 with no material increase since disclosure. Reference materials point to detailed proof-of-concept information and the vendor site, though no specific mitigation guidance or patch details are provided in the available sources.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20864
Vulnerability details
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed…
more
remotely. The exploit has been released to the public and may be used for attacks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection via public-facing router CGI endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059.008 (Network Device CLI) for arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the enable argument in setUPnPCfg to block malicious input that produces OS command injection.
Enforces access-control policy on the CGI handler so that unauthenticated remote callers cannot reach the vulnerable function.
Boundary-protection mechanisms can filter or restrict network traffic to the router's web-management interface before the injection payload is processed.