CVE-2026-5853 - Vulnerability Details

- Totolink A7100RU CGI cstecgi.cgi setIpv6LanCfg os command injection

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

Published: 2026-04-09

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the setIpv6LanCfg function of the cstecgi.cgi handler on Totolink A7100RU routers allows attackers to inject arbitrary operating system commands through manipulation of the addrPrefixLen argument. This results in remote code execution with the privileges of the CGI process, exposing the device to complete compromise of confidentiality, integrity, and availability. The vulnerability carries a CVSS score of 9.3, indicating a very high severity that should be addressed with priority.

Affected Systems

The vulnerability affects Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. The specific component at risk is the CGI interface located at /cgi-bin/cstecgi.cgi, which processes the setIpv6LanCfg command. Only devices running the affected firmware revision are vulnerable; newer or older firmware versions not explicitly listed are not confirmed to be impacted.

Risk and Exploitability

The flaw can be exploited remotely without authentication as the vulnerable CGI endpoint is publicly reachable. Public exploits have already been disclosed, and the absence of an EPSS score suggests a higher likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog, but the combination of a high CVSS score, existing public exploits, and remote access makes the risk substantial. An attacker can send a crafted HTTP request to the cstecgi.cgi endpoint, inject shell commands via the addrPrefixLen parameter, and gain full control over the router.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Totolink

A7100RU

affected

Version	Status	Constraints
`7.4cu.2313_b20191024`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update from Totolink that fixes the command injection issue.
If an immediate update is not available, block external access to /cgi-bin/cstecgi.cgi or disable IPv6 LAN configuration through router ACLs or firewall rules.
For remaining exposure, monitor incoming traffic to the cstecgi.cgi endpoint for anomalous parameters and log attempts for further investigation.

Generated by OpenCVE AI on April 9, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00892.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_159/README.md
https://vuldb.com/submit/791274
https://vuldb.com/vuln/356379
https://vuldb.com/vuln/356379/cti
https://www.totolink.net/

History

Thu, 09 Apr 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Title		Totolink A7100RU CGI cstecgi.cgi setIpv6LanCfg os command injection
First Time appeared		Totolink Totolink a7100ru Firmware
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:o:totolink:a7100ru_firmware::::::::
Vendors & Products		Totolink Totolink a7100ru Firmware
References		https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_159/README.md https://vuldb.com/submit/791274 https://vuldb.com/vuln/356379 https://vuldb.com/vuln/356379/cti https://www.totolink.net/
Metrics		cvssV2_0 `{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Totolink A7100ru Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-09T06:30:21.107Z

Updated: 2026-04-09T06:30:21.107Z

Reserved: 2026-04-08T19:20:04.129Z

Link: CVE-2026-5853

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T07:16:05.273

Modified: 2026-04-09T07:16:05.273

Link: CVE-2026-5853

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:24:50Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object