EUVD-2026-21761
GHSA-4gxr-jwfr-c55p
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used.
Analysis
OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via a crafted MAC address parameter to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with publicly available exploit code on GitHub. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify and inventory all Totolik A7100RU routers in production, especially those accessible from the internet; isolate affected devices from management networks if firmware update is not immediately available. Within 7 days: contact Totolik for firmware updates or migrate to alternative router platforms; if devices must remain in service, implement network segmentation and restrict administrative access to trusted IP ranges only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today