Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
AnalysisAI
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via crafted requests to the /cgi-bin/cstecgi.cgi endpoint. The vulnerability resides in the setDiagnosisCfg function's insufficient validation of the 'ip' parameter. Publicly available exploit code exists (GitHub POC published), significantly lowering exploitation barriers. CVSS 9.8 (Critical) reflects network-accessible, low-complexity attack requiring no authentication. No vendor-released patch identified at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-78 (OS Command Injection) in the CGI handler of Totolink A7100RU router firmware. The affected component is /cgi-bin/cstecgi.cgi, specifically within the setDiagnosisCfg function commonly used for network diagnostic operations like ping or traceroute. The 'ip' parameter accepts user-supplied input that is passed unsanitized to system shell commands. Attackers can inject shell metacharacters (e.g., semicolons, pipe operators, backticks) to append arbitrary commands. The CPE identifier cpe:2.3:a:totolink:a7100ru:*:*:*:*:*:*:*:* indicates this is an application-level vulnerability in Totolink's router software. CGI-based management interfaces in embedded devices frequently suffer from command injection when diagnostic or configuration functions construct shell commands through string concatenation rather than parameterized execution.
RemediationAI
No vendor-released patch identified at time of analysis. Users should immediately check the official Totolink support portal (https://www.totolink.net/) for firmware updates newer than 7.4cu.2313_b20191024 and apply them if available. As interim mitigations: (1) Disable remote administration access to the router's web interface, ensuring management is only accessible from the internal LAN; (2) Implement firewall rules to block external access to TCP ports commonly used for router management (80, 443, 8080); (3) If the diagnostic functionality is not required, consider blocking access to /cgi-bin/cstecgi.cgi through the router's access control features if available; (4) For critical environments, consider replacing the device with alternative hardware from vendors with active security support programs. Monitor VulDB entries https://vuldb.com/vuln/356976 and https://vuldb.com/vuln/356976/cti for updated remediation guidance. Given the severity and lack of patch, device replacement may be the most secure long-term solution for high-risk deployments.
Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21708