EUVD-2026-21324CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
Analysis
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the User parameter in setVpnAccountCfg function at /cgi-bin/cstecgi.cgi endpoint. CVSS 9.8 critical severity with publicly available exploit code documented on GitHub. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Totolik A7100RU routers in your environment and isolate firmware version 7.4cu.2313_b20191024 devices from untrusted networks; check vendor (Totolik) security advisory for available firmware updates and apply immediately if released. Within 7 days: Complete inventory of all affected devices and verify firmware version across all instances; implement network segmentation to restrict access to router management interfaces to authorized administrative subnets only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today