Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU Router
Two critical vulnerabilities, CVE-2026-5851 and CVE-2026-5976, were disclosed in the Totolink A7100RU router running firmware 7.4cu.2313_b20191024, exposing the device to remote OS command injection without authentication or user interaction. Both flaws affect /cgi-bin/cstecgi.cgi in the router's CGI handler: CVE-2026-5851 is tied to the setUPnPCfg function through the enable argument, while CVE-2026-5976 affects the setStorageCfg function through the sambaEnabled argument.
The vulnerabilities were classified under CWE-78 and CWE-77 and were assigned high to critical severity across CVSS versions, reflecting potential compromise of confidentiality, integrity, and availability. Public exploit information has reportedly been released, including references to VulDB and a GitHub disclosure repository, increasing the likelihood of exploitation against exposed devices that have not been updated or otherwise mitigated.
Timeline
Apr 13, 2026
Fourth Totolink A7100RU command injection CVE is recorded
On 2026-04-13, CVE-2026-6155 was recorded for a remote OS command injection flaw in the Totolink A7100RU router affecting /cgi-bin/cstecgi.cgi's setWanCfg function via the pppoeServiceName argument. The CVE entry states that public exploit information is available and maps the issue to CWE-78 and CWE-77.
Apr 9, 2026
Third Totolink A7100RU command injection CVE is recorded
On April 9, 2026, CVE-2026-5975 was recorded for a remote OS command injection flaw in Totolink A7100RU firmware 7.4cu.2313_b20191024. The vulnerability affects the setDmzCfg function in /cgi-bin/cstecgi.cgi via the wanIdx argument, and the CVE entry states that public exploit information is available.
Apr 9, 2026
Public exploit information is available for the Totolink flaws
The CVE records state that public exploit or disclosure material had been released for both vulnerabilities, including references to VulDB and a GitHub repository. This indicates technical details and exploit information were publicly available by the time the CVEs were published.
Apr 9, 2026
Two Totolink A7100RU command injection CVEs are recorded
On April 9, 2026, CVE-2026-5851 and CVE-2026-5976 were recorded for remote OS command injection flaws in the Totolink A7100RU router firmware 7.4cu.2313_b20191024. The issues affect the setUPnPCfg and setStorageCfg functions in /cgi-bin/cstecgi.cgi and are described as remotely exploitable without authentication or user interaction.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU and A8000RU Routers
Two high-severity vulnerabilities have been disclosed in Totolink routers that allow remote, unauthenticated OS command injection through the CGI handler in `/cgi-bin/cstecgi.cgi`. The flaws affect the **A7100RU** (`CVE-2026-5853`) running firmware `7.4cu.2313_b20191024` and the **A8000RU** (`CVE-2026-7124`) running firmware `7.1cu.643_b20200521`, with both issues tied to the `setIpv6LanCfg` function and abuse of the `addrPrefixLen` argument. The vulnerabilities are mapped to `CWE-78` and `CWE-77` and can be exploited remotely without authentication or user interaction.
5 days ago
Publicly Exploitable Command Injection Flaws Disclosed in Totolink A3300R Router
Two high-severity command injection vulnerabilities have been disclosed in the **Totolink A3300R** router, both affecting firmware version `17.0.0cu.557_b20221024` and exposing the device to remote code execution through `/cgi-bin/cstecgi.cgi`. The flaws are tracked as **`CVE-2026-5104`** and **`CVE-2026-5101`**. `CVE-2026-5104` affects the `setStaticRoute` function, where manipulation of the `ip` argument can trigger command injection, while `CVE-2026-5101` affects the `setLanCfg` function in the Parameter Handler component through the `lanIp` argument. Public exploit material has been disclosed for both issues, according to VulDB and referenced advisory material, raising the risk of active abuse against exposed devices. NVD subsequently added initial analysis for the CVEs, assigning higher **CVSS v3.1** severity assessments than the original CNA submissions and mapping the weaknesses to **`CWE-77`**, **`CWE-74`**, and **`CWE-78`**. The disclosures indicate that attackers could remotely inject operating system commands via crafted requests, making patching, exposure reduction, and monitoring of internet-facing Totolink A3300R systems urgent priorities.
1 weeks ago
Critical Command Injection Flaws Expose Totolink A8000RU Routers to Remote RCE
Three critical vulnerabilities, **CVE-2026-7121**, **CVE-2026-7122**, and **CVE-2026-7125**, were disclosed in the **Totolink A8000RU** router running firmware `7.1cu.643_b20200521`, all affecting the `/cgi-bin/cstecgi.cgi` CGI handler. The flaws are OS command injection issues in the `setWizardCfg`, `setUPnPCfg`, and `setWiFiEasyCfg` functions, where crafted input to the `wizard`, `enable`, and `merge` arguments can trigger command execution on the device. The vulnerabilities are mapped to **CWE-78** and **CWE-77** and were rated critical across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** scoring schemes. All three issues are remotely exploitable over the network and require **no privileges** and **no user interaction**, creating a high-risk exposure for internet-accessible devices. Public exploit information has already been disclosed, with references including VulDB entries and a GitHub proof-of-concept, increasing the likelihood of near-term exploitation. The disclosures indicate that multiple administrative configuration paths in the router's web interface can be abused for remote code execution, making unpatched A8000RU systems a priority for immediate review and remediation.
5 days ago