Skip to main content

A7100Ru CVE-2026-6138

| EUVDEUVD-2026-21761 HIGH
OS Command Injection (CWE-78)
2026-04-13 VulDB GHSA-4gxr-jwfr-c55p
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 13, 2026 - 00:22 NVD
CRITICAL HIGH
CVSS changed
Apr 13, 2026 - 00:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 13, 2026 - 00:17 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 00:15 euvd
EUVD-2026-21761
Analysis Generated
Apr 13, 2026 - 00:15 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
HIGH 8.9

DescriptionCVE.org

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used.

AnalysisAI

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands with router privileges via a crafted MAC address parameter to the setAccessDeviceCfg function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with publicly available exploit code on GitHub. No authentication, low complexity, network-exploitable. EPSS and KEV data not available, but public POC significantly lowers exploitation barrier for opportunistic attacks against internet-exposed router management interfaces.

Technical ContextAI

This vulnerability affects the CGI (Common Gateway Interface) handler in Totolink A7100RU wireless routers, specifically the setAccessDeviceCfg function within the cstecgi.cgi script. The root cause is CWE-78 (OS Command Injection), where user-supplied input in the 'mac' parameter is not properly validated or sanitized before being passed to underlying system shell commands. CGI scripts on embedded devices like routers typically run with elevated privileges to configure network settings, making command injection particularly dangerous. The affected product (cpe:2.3:a:totolink:a7100ru) is a consumer-grade wireless router, and the vulnerable CGI endpoint is commonly exposed on the device's web management interface. Improper input validation allows attackers to break out of the intended command context by injecting shell metacharacters (semicolons, pipes, backticks) within the MAC address field, causing the router to execute arbitrary commands as root or the web server user.

RemediationAI

No vendor-released patch identified at time of analysis based on available references. Users should immediately check the official Totolink support site at https://www.totolink.net/ for firmware updates newer than version 7.4cu.2313_b20191024. As an interim mitigation, disable remote administration access to the router's web management interface, ensuring it is only accessible from the local LAN and not exposed to the internet. Implement network-level access controls (firewall rules) to restrict access to the management interface to trusted IP addresses only. Consider replacing the device with alternative hardware if the vendor does not provide timely security updates, as command injection vulnerabilities of this severity cannot be effectively mitigated without patching the underlying code flaw. Monitor router logs for suspicious access attempts to /cgi-bin/cstecgi.cgi and unusual outbound connections that might indicate compromise.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6138 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy