EUVD-2026-20868
GHSA-hh2p-hqf4-c9m6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setIpv6LanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument addrPrefixLen leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Analysis
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 enables unauthenticated remote attackers to execute arbitrary system commands via crafted addrPrefixLen parameter in setIpv6LanCfg function of /cgi-bin/cstecgi.cgi CGI handler. CVSS 9.8 critical severity reflects network-accessible attack vector requiring no privileges or user interaction, with complete confidentiality, integrity, and availability impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Totolik A7100RU routers in production and isolate them from critical network segments if possible; disable remote management interfaces and restrict access to /cgi-bin/cstecgi.cgi to trusted networks only. Within 7 days: Contact Totolik support to confirm whether patched firmware versions are available for this specific model; if available, plan maintenance window for immediate deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today