Skip to main content

A7100Ru CVE-2026-6132

| EUVDEUVD-2026-21749 HIGH
OS Command Injection (CWE-78)
2026-04-12 VulDB GHSA-6469-mcff-f6m6
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 12, 2026 - 23:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 23:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 12, 2026 - 22:56 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 22:45 euvd
EUVD-2026-21749
Analysis Generated
Apr 12, 2026 - 22:45 vuln.today
CVE Published
Apr 12, 2026 - 22:30 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

AnalysisAI

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setLedCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (GitHub), making this vulnerability immediately weaponizable with CVSS 9.8 (Critical). EPSS data not available, but no CISA KEV listing indicates no confirmed widespread exploitation despite POC availability.

Technical ContextAI

The vulnerability resides in the CGI (Common Gateway Interface) handler of Totolink A7100RU residential router firmware, specifically within the setLedCfg configuration function accessible via /cgi-bin/cstecgi.cgi. This represents a classic CWE-78 OS Command Injection flaw where user-supplied input to the 'enable' parameter is not properly sanitized before being passed to system shell commands. CGI scripts in embedded devices often interact directly with system utilities through shell execution, and failure to validate input allows attackers to break out of intended command context using shell metacharacters (semicolons, pipes, backticks). The affected CPE (cpe:2.3:a:totolink:a7100ru) confirms this impacts the router's application firmware layer, where web-based management interfaces execute privileged system operations.

RemediationAI

No vendor-released patch identified at time of analysis despite public disclosure. Users should immediately check the Totolink official website (www.totolink.net) under support/downloads for firmware updates newer than 7.4cu.2313_b20191024 and apply if available. As interim mitigation, disable remote administration access to the router's web interface, restrict management interface access to trusted local networks only via firewall rules, and place the device behind a separate firewall that blocks external access to port 80/443 directed at the router. Consider replacing the device with actively supported hardware if Totolink does not release a security update within reasonable timeframe. Network segmentation can limit blast radius if device is compromised-isolate IoT/guest networks from critical systems.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy