Skip to main content

A7100Ru CVE-2026-6114

| EUVDEUVD-2026-21705 HIGH
OS Command Injection (CWE-78)
2026-04-12 VulDB GHSA-wj59-xw95-68pp
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 12, 2026 - 04:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 04:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 12, 2026 - 04:05 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 04:00 euvd
EUVD-2026-21705
Analysis Generated
Apr 12, 2026 - 04:00 vuln.today
CVE Published
Apr 12, 2026 - 03:30 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.

AnalysisAI

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via the 'proto' parameter in setNetworkCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, significantly lowering the exploitation barrier. CVSS 9.8 (Critical) reflects network-accessible attack requiring no authentication or user interaction.

Technical ContextAI

This is a classic OS command injection vulnerability (CWE-78) in the CGI-based web management interface of the Totolink A7100RU wireless router. The setNetworkCfg function in the cstecgi.cgi CGI handler fails to properly sanitize user input from the 'proto' parameter before passing it to system shell commands. CGI scripts executing with elevated router privileges often invoke shell commands for network configuration tasks, making insufficient input validation a common attack surface in legacy router firmware. The CPE identifier cpe:2.3:a:totolink:a7100ru:*:*:*:*:*:* confirms the Totolink A7100RU product line is affected, specifically firmware version 7.4cu.2313_b20191024 released October 2019.

RemediationAI

No vendor-released patch identified at time of analysis. Users should immediately check the official Totolink support site (https://www.totolink.net/) for firmware updates newer than version 7.4cu.2313_b20191024. If no patch is available, implement network-level mitigations: disable remote administration access to the router's web interface, restrict management access to trusted local network segments only via firewall rules, and deploy the device behind a perimeter firewall if used in enterprise environments. Consider replacing the device with actively maintained hardware if Totolink does not release a security update within a reasonable timeframe, as the publicly available exploit (https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md) makes this vulnerability trivially exploitable. Monitor vendor advisories at VulDB reference https://vuldb.com/vuln/356974 for patch release notifications.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy