EUVD-2026-21074
GHSA-v89g-prph-7892
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wanIdx leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.
Analysis
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the wanIdx parameter in the setDmzCfg function within /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with attack complexity low, no privileges required, and no user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Totolik A7100RU devices in production and isolate from critical network paths; check Totolink vendor advisory for available firmware versions beyond 7.4cu.2313_b20191024. Within 7 days: Contact Totolink support for patch status and interim firmware alternatives; implement network-level controls restricting WAN-facing access to DMZ configuration interface (/cgi-bin/cstecgi.cgi). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today