CVE-2026-5851
Published April 9, 2026 · Updated April 9, 2026
What This Means
CVE-2026-5851 is a critical command injection vulnerability in the Totolink A7100RU router, specifically affecting the function setUPnPCfg in the CGI Handler at /cgi-bin/cstecgi.cgi. This flaw allows attackers to remotely inject operating system commands by manipulating the 'enable' argument. Organizations using this router should apply any available patches immediately and consider disabling remote management features to mitigate risk.
Official Description+
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setUPnPCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-5851.