Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.
AnalysisAI
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via the 'proto' parameter in setNetworkCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, significantly lowering the exploitation barrier. CVSS 9.8 (Critical) reflects network-accessible attack requiring no authentication or user interaction.
Technical ContextAI
This is a classic OS command injection vulnerability (CWE-78) in the CGI-based web management interface of the Totolink A7100RU wireless router. The setNetworkCfg function in the cstecgi.cgi CGI handler fails to properly sanitize user input from the 'proto' parameter before passing it to system shell commands. CGI scripts executing with elevated router privileges often invoke shell commands for network configuration tasks, making insufficient input validation a common attack surface in legacy router firmware. The CPE identifier cpe:2.3:a:totolink:a7100ru:*:*:*:*:*:* confirms the Totolink A7100RU product line is affected, specifically firmware version 7.4cu.2313_b20191024 released October 2019.
RemediationAI
No vendor-released patch identified at time of analysis. Users should immediately check the official Totolink support site (https://www.totolink.net/) for firmware updates newer than version 7.4cu.2313_b20191024. If no patch is available, implement network-level mitigations: disable remote administration access to the router's web interface, restrict management access to trusted local network segments only via firewall rules, and deploy the device behind a perimeter firewall if used in enterprise environments. Consider replacing the device with actively maintained hardware if Totolink does not release a security update within a reasonable timeframe, as the publicly available exploit (https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md) makes this vulnerability trivially exploitable. Monitor vendor advisories at VulDB reference https://vuldb.com/vuln/356974 for patch release notifications.
Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21705
GHSA-wj59-xw95-68pp