This is a remote OS command injection vulnerability in the CGI handler of Totolink A7100RU routers. Attackers can exploit the flaw by manipulating the `enable` argument in the `setUPnPCfg` function. Public exploit code has been released for this vulnerability, lowering the barrier for threat actors to abuse it.
Remediation
No official patch has been released by Totolink for this vulnerability. Restrict access to the router's management interface to only trusted internal IP addresses. Consider replacing the affected device with a currently supported alternative to eliminate this risk.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-5851 or https://vulners.com/cve/CVE-2026-5851. | Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-5851 | https://github.com/search?q=CVE-2026-5851+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.