EUVD-2026-21274
GHSA-cv4h-4m28-8hr9
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
Analysis
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the tty_server parameter in the setAdvancedInfoShow function of /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity reflects network-accessible exploitation requiring no authentication or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
24 hours: Identify and inventory all Totolik A7100RU devices in production; isolate affected devices from critical network segments if feasible; enable access logging on all network perimeter devices. 7 days: Contact Totolik support for patch availability and timeline; evaluate replacement router models from alternative vendors as interim solution; implement network segmentation to limit lateral movement from compromised devices. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today