This vulnerability allows remote attackers to execute arbitrary OS commands on affected Totolink A7100RU routers. The flaw exists in the `setVpnPassCfg` function of the device's CGI handler, and can be triggered by manipulating the `pptpPassThru` argument. Public exploit code is available for this issue.
Remediation
No official patch is available for this vulnerability from the vendor. Limit management interface access to trusted networks only. Replace the affected end-of-life router with a supported model to resolve the vulnerability permanently.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-5850 or https://vulners.com/cve/CVE-2026-5850. | Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-5850 | https://github.com/search?q=CVE-2026-5850+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.