Cyber Resilience

CVE-2026-5851

HighRCE

Published: 09 April 2026

Published
09 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1413 96.1th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-5851 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-5851 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. It resides in the setUPnPCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the enable argument permits arbitrary command execution. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9.

The vulnerability can be exploited remotely by unauthenticated attackers over the network without user interaction. Successful exploitation grants full control over the device, allowing attackers to execute operating system commands that can compromise confidentiality, integrity, and availability of the router.

An exploit for the issue has been made public. The EPSS score remains flat at 0.0167 with no material increase since disclosure. Reference materials point to detailed proof-of-concept information and the vendor site, though no specific mitigation guidance or patch details are provided in the available sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed…

more

remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Unauthenticated remote OS command injection via public-facing router CGI endpoint directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059.008 (Network Device CLI) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7123Shared CWE-77, CWE-78
CVE-2026-6114Shared CWE-77, CWE-78
CVE-2026-2082Shared CWE-77, CWE-78
CVE-2026-5997Shared CWE-77, CWE-78
CVE-2025-15254Shared CWE-77, CWE-78
CVE-2025-1819Shared CWE-77, CWE-78
CVE-2026-7243Shared CWE-77, CWE-78
CVE-2026-1506Shared CWE-77, CWE-78
CVE-2026-3696Shared CWE-77, CWE-78
CVE-2026-6154Shared CWE-77, CWE-78

Affected Assets

Totolink
A7100RU
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the enable argument in setUPnPCfg to block malicious input that produces OS command injection.

prevent

Enforces access-control policy on the CGI handler so that unauthenticated remote callers cannot reach the vulnerable function.

prevent

Boundary-protection mechanisms can filter or restrict network traffic to the router's web-management interface before the injection payload is processed.

References