Skip to main content

Totolink A7100RU CVE-2026-5690

| EUVDEUVD-2026-19553 MEDIUM
Command Injection (CWE-77)
2026-04-06 cna@vuldb.com GHSA-wvc4-2vwc-mwh2
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 06, 2026 - 23:22 euvd
EUVD-2026-19553
Analysis Generated
Apr 06, 2026 - 23:22 vuln.today
CVE Published
Apr 06, 2026 - 23:16 nvd
MEDIUM 6.9

DescriptionCVE.org

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used.

AnalysisAI

Remote command injection in Totolink A7100RU firmware version 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands by manipulating the enable parameter in the setRemoteCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and a CVSS 6.9 score reflecting remote network accessibility with low attack complexity. Real-world risk is elevated due to the presence of published exploit code and the direct path to command execution in a widely deployed home router model.

Technical ContextAI

The vulnerability exists in the CGI handler cstecgi.cgi, a common entry point for remote configuration in Totolink routers. The setRemoteCfg function fails to properly sanitize or validate the enable parameter before passing it to an OS command execution function, resulting in command injection (CWE-77). The affected technology is a web-based router administration interface that processes remote configuration requests without sufficient input filtering. The attack vector is network-based, leveraging the HTTP/HTTPS interface typically exposed on port 80 or 443 of the device, with no authentication required (PR:N in CVSS 4.0 vector). The CGI endpoint does not validate that the enable parameter contains only expected alphanumeric or boolean values, allowing an attacker to inject shell metacharacters such as pipes, semicolons, or command substitution syntax.

RemediationAI

Firmware update is the primary remediation. Users should check the Totolink support website (https://www.totolink.net/) for the latest firmware version available for the A7100RU model and apply it immediately. If the A7100RU is no longer supported by the vendor, consider replacing the device with a current model receiving active security updates. As an interim mitigation, restrict network access to the device's web administration interface by disabling remote management (if enabled) and ensuring the device is only accessible from trusted internal networks. Firewall rules should block external access to ports 80 and 443 on the router's WAN interface. Monitor for any unauthorized configuration changes via the router's logs. Given the publication of exploit code, patching should be treated with high urgency.

Share

CVE-2026-5690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy