Skip to main content

A7100Ru CVE-2026-6112

| EUVDEUVD-2026-21700 HIGH
OS Command Injection (CWE-78)
2026-04-12 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 12, 2026 - 04:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 04:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 12, 2026 - 04:05 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 04:00 euvd
EUVD-2026-21700
Analysis Generated
Apr 12, 2026 - 04:00 vuln.today
CVE Published
Apr 12, 2026 - 02:45 nvd
HIGH 8.9

DescriptionCVE.org

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the CGI interface. The setRadvdCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the maxRtrAdvInterval parameter, enabling command injection through crafted HTTP requests. Publicly available exploit code exists on GitHub, significantly lowering exploitation barriers. CVSS 9.8 critical rating reflects network-accessible attack vector with no authentication or user interaction required, enabling full system compromise.

Technical ContextAI

This vulnerability affects the CGI (Common Gateway Interface) handler in Totolink A7100RU consumer routers, specifically the Router Advertisement Daemon (radvd) configuration function. The setRadvdCfg function processes user-supplied input for the maxRtrAdvInterval parameter without proper input validation or sanitization before passing it to system shell commands. This is a classic CWE-78 (OS Command Injection) vulnerability where attackers can append shell metacharacters and arbitrary commands to the parameter value. The CGI script at /cgi-bin/cstecgi.cgi runs with elevated privileges typical of router management interfaces, meaning injected commands execute with root or administrative permissions. The affected CPE indicates the vulnerability is specific to Totolink A7100RU hardware running the vulnerable firmware build from October 2019.

RemediationAI

Users should immediately check for firmware updates from Totolink at https://www.totolink.net/ and apply the latest available firmware if a patched version has been released. No vendor-released patch version is independently confirmed from available data at time of analysis. As an interim mitigation, disable remote management access to the router's CGI interface and restrict administrative access to trusted internal networks only. Implement network segmentation to isolate vulnerable devices from untrusted networks. If the device is internet-facing, place it behind a firewall with strict access control rules permitting only necessary management traffic from known IP addresses. Organizations should consider replacing affected devices with actively supported models if vendor patch support is unavailable or discontinued. Monitor the vendor security advisory page and vulnerability references at https://vuldb.com/vuln/356972 for updated remediation guidance.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy