Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used.
AnalysisAI
Remote command injection in Totolink A7100RU firmware version 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands by manipulating the enable parameter in the setRemoteCfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit and a CVSS 6.9 score reflecting remote network accessibility with low attack complexity. Real-world risk is elevated due to the presence of published exploit code and the direct path to command execution in a widely deployed home router model.
Technical ContextAI
The vulnerability exists in the CGI handler cstecgi.cgi, a common entry point for remote configuration in Totolink routers. The setRemoteCfg function fails to properly sanitize or validate the enable parameter before passing it to an OS command execution function, resulting in command injection (CWE-77). The affected technology is a web-based router administration interface that processes remote configuration requests without sufficient input filtering. The attack vector is network-based, leveraging the HTTP/HTTPS interface typically exposed on port 80 or 443 of the device, with no authentication required (PR:N in CVSS 4.0 vector). The CGI endpoint does not validate that the enable parameter contains only expected alphanumeric or boolean values, allowing an attacker to inject shell metacharacters such as pipes, semicolons, or command substitution syntax.
RemediationAI
Firmware update is the primary remediation. Users should check the Totolink support website (https://www.totolink.net/) for the latest firmware version available for the A7100RU model and apply it immediately. If the A7100RU is no longer supported by the vendor, consider replacing the device with a current model receiving active security updates. As an interim mitigation, restrict network access to the device's web administration interface by disabling remote management (if enabled) and ensuring the device is only accessible from trusted internal networks. Firewall rules should block external access to ports 80 and 443 on the router's WAN interface. Monitor for any unauthorized configuration changes via the router's logs. Given the publication of exploit code, patching should be treated with high urgency.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19553
GHSA-wvc4-2vwc-mwh2