EUVD-2026-20870CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument merge results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Analysis
OS command injection in Totolink A7100RU router 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'merge' parameter in setWiFiEasyCfg function within /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Totolik A7100RU routers in production using network scanning or device inventory tools and isolate affected devices to an out-of-band management network if possible. Within 7 days: Contact Totolik support for firmware availability beyond version 7.4cu.2313_b20191024; if no patch is released, implement network-level mitigation (see compensating_controls). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today