Skip to main content

A7100Ru CVE-2026-5692

| EUVDEUVD-2026-19557 MEDIUM
OS Command Injection (CWE-78)
2026-04-06 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 23:31 euvd
EUVD-2026-19557
Analysis Generated
Apr 06, 2026 - 23:31 vuln.today
CVE Published
Apr 06, 2026 - 23:15 nvd
MEDIUM 6.9

DescriptionCVE.org

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit has been made public and could be used.

AnalysisAI

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setGameSpeedCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists on GitHub (EPSS and KEV status not provided, but publicly available proof-of-concept increases immediate risk). Attack vector is network-based with low complexity requiring no user interaction or authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N).

Technical ContextAI

This vulnerability affects the Totolink A7100RU router (CPE: cpe:2.3:a:totolink:a7100ru), specifically firmware version 7.4cu.2313_b20191024 released October 2019. The flaw resides in the web administration interface's CGI handler at /cgi-bin/cstecgi.cgi, within the setGameSpeedCfg function likely intended for gaming traffic optimization features. The root cause is CWE-78 (OS Command Injection), where user-controlled input from the 'enable' parameter is passed to system shell commands without proper sanitization or validation. This classic injection vulnerability allows attackers to break out of the intended command context and execute arbitrary operating system commands with the privileges of the web server process, typically running as root on embedded router devices. The CGI interface's direct exposure to the network combined with lack of input validation creates a straightforward attack surface.

RemediationAI

No vendor-released patch identified at time of analysis based on available references (CVSS temporal vector RL:X indicates unavailable remediation). Users should immediately check the Totolink support website at https://www.totolink.net/ for firmware updates newer than version 7.4cu.2313_b20191024 and apply them if available. As interim mitigations, disable remote administration access to the router's web interface, restrict management access to trusted internal IP addresses only through firewall rules if the router supports this feature, and place the device behind a separate firewall that blocks external access to ports 80 and 443 destined for the router's LAN IP. Consider replacing the device with alternative hardware if Totolink does not release security updates, as command injection vulnerabilities in embedded devices are often terminal security issues without vendor patches. Monitor VulDB references (https://vuldb.com/vuln/355519) and the vendor site for updated remediation guidance.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-5692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy