Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU and A8000RU Routers
Two high-severity vulnerabilities have been disclosed in Totolink routers that allow remote, unauthenticated OS command injection through the CGI handler in /cgi-bin/cstecgi.cgi. The flaws affect the A7100RU (CVE-2026-5853) running firmware 7.4cu.2313_b20191024 and the A8000RU (CVE-2026-7124) running firmware 7.1cu.643_b20200521, with both issues tied to the setIpv6LanCfg function and abuse of the addrPrefixLen argument. The vulnerabilities are mapped to CWE-78 and CWE-77 and can be exploited remotely without authentication or user interaction.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-7124 disclosed for Totolink A8000RU command injection
A separate vulnerability entry for CVE-2026-7124 was recorded on 2026-04-27 affecting Totolink A8000RU firmware 7.1cu.643_b20200521. The issue is the same class of unauthenticated remote OS command injection in /cgi-bin/cstecgi.cgi setIpv6LanCfg through the addrPrefixLen parameter, with public exploit disclosure already reported.
CVE-2026-5853 disclosed for Totolink A7100RU command injection
A vulnerability entry for CVE-2026-5853 was recorded on 2026-04-09 affecting Totolink A7100RU firmware 7.4cu.2313_b20191024. The flaw in /cgi-bin/cstecgi.cgi setIpv6LanCfg allows unauthenticated remote OS command injection via the addrPrefixLen argument, and public disclosure was noted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU Router
Two critical vulnerabilities, **CVE-2026-5851** and **CVE-2026-5976**, were disclosed in the **Totolink A7100RU** router running firmware `7.4cu.2313_b20191024`, exposing the device to remote **OS command injection** without authentication or user interaction. Both flaws affect `/cgi-bin/cstecgi.cgi` in the router's CGI handler: CVE-2026-5851 is tied to the `setUPnPCfg` function through the `enable` argument, while CVE-2026-5976 affects the `setStorageCfg` function through the `sambaEnabled` argument. The vulnerabilities were classified under **CWE-78** and **CWE-77** and were assigned high to critical severity across CVSS versions, reflecting potential compromise of confidentiality, integrity, and availability. Public exploit information has reportedly been released, including references to **VulDB** and a **GitHub** disclosure repository, increasing the likelihood of exploitation against exposed devices that have not been updated or otherwise mitigated.
Apr 13, 2026
Critical Command Injection Flaws Expose Totolink A7100RU Routers to RCE
Two newly disclosed vulnerabilities, **CVE-2026-5854** and **CVE-2026-5977**, affect the **Totolink A7100RU** router running firmware `7.4cu.2313_b20191024` and allow **remote command execution** without authentication or user interaction. Both flaws are in the router’s CGI handler at `/cgi-bin/cstecgi.cgi`: CVE-2026-5854 is tied to the `setWiFiEasyCfg` function through the `merge` argument, while CVE-2026-5977 affects `setWiFiBasicCfg` through the `wifiOff` argument.
Apr 10, 2026
Critical Command Injection Flaws Expose Totolink A7100RU and A8000RU Routers
Two Totolink router models, **A7100RU** and **A8000RU**, were disclosed with critical OS command injection vulnerabilities in the CGI handler endpoint `/cgi-bin/cstecgi.cgi`. The flaws affect the `setVpnPassCfg` function and stem from improper handling of the `pptpPassThru` argument, allowing attackers to inject operating system commands remotely. The issues were assigned **CVE-2026-5850** for the A7100RU running firmware `7.4cu.2313_b20191024` and **CVE-2026-7037** for the A8000RU running firmware `7.1cu.643_b20200521`. Both vulnerabilities are classified under **CWE-78** and **CWE-77**, and were reported as remotely exploitable without privileges or user interaction. The disclosures indicate that **public exploits are available**, materially raising the risk of opportunistic compromise of exposed devices. Severity scoring across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** places the flaws at critical or maximum-impact levels, making internet-facing Totolink routers running the affected firmware high-priority targets for remediation or isolation.
Apr 26, 2026