Skip to main content

A7100Ru CVE-2026-6131

| EUVDEUVD-2026-21748 HIGH
OS Command Injection (CWE-78)
2026-04-12 VulDB GHSA-g7p4-8pj8-9c46
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 12, 2026 - 23:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 23:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 12, 2026 - 22:41 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 22:30 euvd
EUVD-2026-21748
Analysis Generated
Apr 12, 2026 - 22:30 vuln.today
CVE Published
Apr 12, 2026 - 22:15 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.

AnalysisAI

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via the setTracerouteCfg function in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists on GitHub, significantly lowering the attack barrier. CVSS 9.8 (Critical) with network vector, low complexity, and no authentication required indicates maximum exploitability. While not confirmed in CISA KEV, the public POC makes this an immediate patching priority for affected devices.

Technical ContextAI

This vulnerability exploits CWE-78 (OS Command Injection) in the Totolink A7100RU router's CGI-based web management interface. The setTracerouteCfg function in /cgi-bin/cstecgi.cgi fails to properly sanitize the 'command' parameter before passing it to a system shell execution context. CGI (Common Gateway Interface) scripts in embedded devices historically exhibit poor input validation, allowing attackers to break out of intended command contexts using shell metacharacters (semicolons, pipes, backticks). The affected product is identified by CPE 2.3:a:totolink:a7100ru:*:*:*:*:*:*:*:* running firmware version 7.4cu.2313_b20191024. Totolink routers are consumer-grade networking devices common in SOHO environments, typically running BusyBox-based Linux with root-level web server processes.

RemediationAI

No vendor-released patch identified at time of analysis. Users should immediately check the Totolink official website (https://www.totolink.net/) and support portal for firmware updates newer than version 7.4cu.2313_b20191024. If no patch exists, implement defense-in-depth controls: disable remote administration interfaces, restrict web GUI access to trusted internal IPs only via firewall rules, place the device behind a separate firewall if used in production, and monitor for unusual outbound connections indicating compromise. Consider replacing the device with a model from a vendor with active security support if Totolink does not release a patch within a reasonable timeframe. Additional technical details are available in the vulnerability disclosure at https://vuldb.com/vuln/356995 and the POC repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_182/README.md.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy