Skip to main content

Totolink A7100RU CVE-2026-5689

| EUVDEUVD-2026-19551 MEDIUM
Command Injection (CWE-77)
2026-04-06 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 06, 2026 - 23:22 euvd
EUVD-2026-19551
Analysis Generated
Apr 06, 2026 - 23:22 vuln.today
CVE Published
Apr 06, 2026 - 23:16 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setNtpCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument tz results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.

AnalysisAI

Remote code execution via OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated network attackers to execute arbitrary commands through the tz parameter in the setNtpCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the vulnerability carries a CVSS 6.9 score indicating moderate severity with low impact across confidentiality, integrity, and availability.

Technical ContextAI

The vulnerability exploits improper input validation in a CGI script responsible for Network Time Protocol (NTP) configuration on a residential wireless router. The setNtpCfg function fails to sanitize the tz (timezone) parameter before passing it to shell command execution, enabling CWE-77 (Improper Neutralization of Special Elements used in a Command) exploitation. The affected product is a Totolink A7100RU WiFi router running firmware version 7.4cu.2313_b20191024. The attack leverages the router's web management interface, which exposes CGI endpoints without requiring authentication.

RemediationAI

Firmware patch availability from Totolink is not confirmed in available data. Users should immediately contact Totolink support or visit https://www.totolink.net/ to determine if a patched firmware version is available for the A7100RU. As an interim mitigation, restrict network access to the router's web management interface by disabling remote administration features, limiting access to the /cgi-bin/cstecgi.cgi endpoint via firewall rules, and ensuring the router is only accessible from trusted internal networks. If the router supports it, change default credentials and apply the latest available firmware release. Monitor Totolink's security advisories for patch releases.

Share

CVE-2026-5689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy