EUVD-2026-20866
GHSA-v7g8-5jcv-9p6p
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument igmpVer causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
Analysis
Unauthenticated remote OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 enables complete system compromise via the setIptvCfg function in /cgi-bin/cstecgi.cgi. Attackers inject malicious commands through the igmpVer parameter without authentication, achieving arbitrary code execution with router privileges. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Totolink A7100RU devices in your environment; disable WAN-facing administrative access if possible. Within 7 days: Contact Totolink support to confirm firmware availability beyond 7.4cu.2313_b20191024; if available, schedule immediate firmware updates across all affected units following change management procedures. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today