Skip to main content

A7100Ru CVE-2026-6116

| EUVDEUVD-2026-21708 HIGH
OS Command Injection (CWE-78)
2026-04-12 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 12, 2026 - 05:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 05:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 12, 2026 - 05:05 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 05:00 euvd
EUVD-2026-21708
Analysis Generated
Apr 12, 2026 - 05:00 vuln.today
CVE Published
Apr 12, 2026 - 04:15 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

AnalysisAI

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via crafted requests to the /cgi-bin/cstecgi.cgi endpoint. The vulnerability resides in the setDiagnosisCfg function's insufficient validation of the 'ip' parameter. Publicly available exploit code exists (GitHub POC published), significantly lowering exploitation barriers. CVSS 9.8 (Critical) reflects network-accessible, low-complexity attack requiring no authentication. No vendor-released patch identified at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-78 (OS Command Injection) in the CGI handler of Totolink A7100RU router firmware. The affected component is /cgi-bin/cstecgi.cgi, specifically within the setDiagnosisCfg function commonly used for network diagnostic operations like ping or traceroute. The 'ip' parameter accepts user-supplied input that is passed unsanitized to system shell commands. Attackers can inject shell metacharacters (e.g., semicolons, pipe operators, backticks) to append arbitrary commands. The CPE identifier cpe:2.3:a:totolink:a7100ru:*:*:*:*:*:*:*:* indicates this is an application-level vulnerability in Totolink's router software. CGI-based management interfaces in embedded devices frequently suffer from command injection when diagnostic or configuration functions construct shell commands through string concatenation rather than parameterized execution.

RemediationAI

No vendor-released patch identified at time of analysis. Users should immediately check the official Totolink support portal (https://www.totolink.net/) for firmware updates newer than 7.4cu.2313_b20191024 and apply them if available. As interim mitigations: (1) Disable remote administration access to the router's web interface, ensuring management is only accessible from the internal LAN; (2) Implement firewall rules to block external access to TCP ports commonly used for router management (80, 443, 8080); (3) If the diagnostic functionality is not required, consider blocking access to /cgi-bin/cstecgi.cgi through the router's access control features if available; (4) For critical environments, consider replacing the device with alternative hardware from vendors with active security support programs. Monitor VulDB entries https://vuldb.com/vuln/356976 and https://vuldb.com/vuln/356976/cti for updated remediation guidance. Given the severity and lack of patch, device replacement may be the most secure long-term solution for high-risk deployments.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy