Skip to main content

A7100Ru CVE-2026-5688

| EUVDEUVD-2026-19547 MEDIUM
OS Command Injection (CWE-78)
2026-04-06 VulDB GHSA-r8h7-vx32-9qj2
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 22:31 euvd
EUVD-2026-19547
Analysis Generated
Apr 06, 2026 - 22:31 vuln.today
CVE Published
Apr 06, 2026 - 22:15 nvd
MEDIUM 6.9

DescriptionCVE.org

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument provider leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'provider' parameter in the setDdnsCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC) demonstrating practical exploitation. With CVSS 7.3 and network-accessible attack vector requiring no authentication or user interaction, this represents a significant risk to exposed devices, though no active exploitation confirmed by CISA KEV at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-78 (OS Command Injection) in the web management interface of the Totolink A7100RU wireless router. The setDdnsCfg function in /cgi-bin/cstecgi.cgi CGI script fails to properly sanitize the 'provider' parameter before passing it to system shell commands. This is a common vulnerability class in embedded device firmware where CGI scripts use dangerous functions like system(), popen(), or exec() without input validation. The affected CPE (cpe:2.3:a:totolink:a7100ru) indicates this impacts the router's application firmware layer. DDNS (Dynamic DNS) configuration interfaces are particularly vulnerable as they often construct system commands to update DNS records, and improper input handling allows attackers to inject arbitrary shell metacharacters and command sequences. The vulnerability exists in firmware version 7.4cu.2313_b20191024 built in October 2019, suggesting legacy code without modern secure coding practices.

RemediationAI

No vendor-released patch identified at time of analysis based on available references. Primary mitigation: immediately restrict network access to the router's web management interface at /cgi-bin/cstecgi.cgi by disabling remote administration features and ensuring management access is only available from trusted internal networks, never from WAN/internet. Implement firewall rules blocking external access to TCP ports 80/443 on the device. Secondary measures: monitor Totolink vendor site (https://www.totolink.net/) and security advisories from VulDB (https://vuldb.com/vuln/355515) for firmware updates addressing CVE-2026-5688. If patched firmware becomes available, upgrade immediately following vendor instructions. Organizations with high-risk exposure should consider replacing affected devices with alternative routers that receive active security support. Implement network segmentation to isolate IoT/router infrastructure from critical systems to limit potential pivot opportunities if device is compromised.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-5688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy