Skip to main content

A7100Ru CVE-2026-5852

| EUVDEUVD-2026-20866 HIGH
OS Command Injection (CWE-78)
2026-04-09 VulDB GHSA-v7g8-5jcv-9p6p
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 09, 2026 - 07:16 vuln.today
Public exploit code
EUVD ID Assigned
Apr 09, 2026 - 07:00 euvd
EUVD-2026-20866
Analysis Generated
Apr 09, 2026 - 07:00 vuln.today
CVE Published
Apr 09, 2026 - 06:15 nvd
HIGH 8.9

DescriptionCVE.org

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument igmpVer causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Unauthenticated remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables complete system compromise via the setIptvCfg function in /cgi-bin/cstecgi.cgi. Attackers inject malicious commands through the igmpVer parameter without authentication, achieving arbitrary code execution with router privileges. CVSS 9.8 (Critical). Publicly available exploit code exists. No authentication, network-accessible attack vector with low complexity allows immediate weaponization for botnet recruitment, credential theft, or lateral network movement.

Technical ContextAI

CWE-78 command injection in CGI handler fails to sanitize igmpVer parameter input before passing to system shell. CVSS vector PR:N confirms zero authentication barriers. Exploitation occurs at network boundary through standard HTTP requests to CGI endpoint, directly invoking OS commands via unvalidated user-controlled strings in IPTV configuration function.

RemediationAI

No vendor-released patch identified at time of analysis. Totolink has not published security advisories addressing CVE-2026-5852 per vendor website review (https://www.totolink.net/). Immediate mitigation requires disabling external management interface access and restricting CGI endpoint exposure to trusted internal networks only. Implement network-level access controls blocking inbound connections to /cgi-bin/cstecgi.cgi from untrusted sources. Consider device replacement with actively maintained router firmware. Monitor VulDB advisory updates at https://vuldb.com/vuln/356378 and exploit repository https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_158/README.md for vendor response developments. Deploy intrusion detection signatures targeting igmpVer parameter manipulation patterns in HTTP POST requests to affected CGI paths.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-5852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy