CVE-2026-5853
Published: 09 April 2026
Summary
CVE-2026-5853 is a high-severity Command Injection (CWE-77) vulnerability in Totolink A7100RU (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A security vulnerability has been detected in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue resides in the setIpv6LanCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where improper handling of the addrPrefixLen argument enables OS command injection. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 8.9.
Remote attackers can exploit the vulnerability without authentication or user interaction by sending crafted requests to the affected CGI endpoint, resulting in arbitrary command execution on the device with impacts to confidentiality, integrity, and availability. The exploit has been made public and may be used by unauthenticated network actors.
Public references include a detailed disclosure on GitHub, multiple Vuldb entries, and the vendor site at totolink.net, though no specific patch or mitigation guidance is described in the available information. The associated EPSS score remains low and stable near 0.012 with no material increase observed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20868
Vulnerability details
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack…
more
may be performed from remote. The exploit has been disclosed publicly and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing web application (T1190) on router leading to arbitrary OS command execution via network device CLI (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the addrPrefixLen input to the setIpv6LanCfg CGI function, blocking the OS command injection vector.
Enforces authentication and authorization checks before any request reaches the unauthenticated /cgi-bin/cstecgi.cgi endpoint, preventing remote exploitation.
Restricts network reachability of the router's management CGI interface to trusted sources only, reducing the remote attack surface.