Skip to main content

Totolink A7100RU CVE-2026-5691

| EUVDEUVD-2026-19555 MEDIUM
Command Injection (CWE-77)
2026-04-06 cna@vuldb.com
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
EUVD ID Assigned
Apr 06, 2026 - 23:22 euvd
EUVD-2026-19555
Analysis Generated
Apr 06, 2026 - 23:22 vuln.today
CVE Published
Apr 06, 2026 - 23:16 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setFirewallType of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Remote command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated attackers to execute arbitrary OS commands via the firewallType parameter in the setFirewallType function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 6.9 with low confidentiality, integrity, and availability impact. Public exploit code exists and the vulnerability is potentially actively exploited.

Technical ContextAI

The vulnerability exists in the web-based management interface of the Totolink A7100RU router. The /cgi-bin/cstecgi.cgi CGI script fails to properly sanitize user input to the firewallType parameter before passing it to OS command execution functions. This is a classic CWE-77 (Improper Neutralization of Special Elements used in a Command) vulnerability where attacker-controlled input is concatenated directly into shell commands without escaping or validation. The affected product is a consumer-grade WiFi router with a remote, unauthenticated attack surface exposed through its HTTP management interface.

RemediationAI

Users should visit www.totolink.net and check for firmware updates for the A7100RU router model beyond version 7.4cu.2313_b20191024. The primary mitigation is to upgrade to the latest available firmware release from Totolink. As an interim workaround, restrict network access to the router's web management interface (/cgi-bin/cstecgi.cgi) via firewall rules, limiting access to trusted networks only, and disable remote management features if available. If the router is no longer receiving security updates from the vendor, consider replacing it with a supported device. Detailed vulnerability information and potential POC code are available at the VulDB references (vuldb.com/vuln/355518) and the GitHub repository (github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_189/README.md).

Share

CVE-2026-5691 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy