Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setFirewallType of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Remote command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands via the firewallType parameter in the setFirewallType function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.9 with low confidentiality, integrity, and availability impact. Public exploit code exists and the vulnerability is potentially actively exploited.
Technical ContextAI
The vulnerability exists in the web-based management interface of the Totolink A7100RU router. The /cgi-bin/cstecgi.cgi CGI script fails to properly sanitize user input to the firewallType parameter before passing it to OS command execution functions. This is a classic CWE-77 (Improper Neutralization of Special Elements used in a Command) vulnerability where attacker-controlled input is concatenated directly into shell commands without escaping or validation. The affected product is a consumer-grade WiFi router with a remote, unauthenticated attack surface exposed through its HTTP management interface.
RemediationAI
Users should visit www.totolink.net and check for firmware updates for the A7100RU router model beyond version 7.4cu.2313_b20191024. The primary mitigation is to upgrade to the latest available firmware release from Totolink. As an interim workaround, restrict network access to the router's web management interface (/cgi-bin/cstecgi.cgi) via firewall rules, limiting access to trusted networks only, and disable remote management features if available. If the router is no longer receiving security updates from the vendor, consider replacing it with a supported device. Detailed vulnerability information and potential POC code are available at the VulDB references (vuldb.com/vuln/355518) and the GitHub repository (github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_189/README.md).
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19555