Skip to main content

A7100Ru CVE-2026-6139

| EUVDEUVD-2026-21764 HIGH
OS Command Injection (CWE-78)
2026-04-13 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 13, 2026 - 01:22 NVD
CRITICAL HIGH
CVSS changed
Apr 13, 2026 - 01:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 13, 2026 - 01:18 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 01:15 euvd
EUVD-2026-21764
Analysis Generated
Apr 13, 2026 - 01:15 vuln.today
CVE Published
Apr 13, 2026 - 00:15 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the FileName parameter in UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC on GitHub), enabling trivial exploitation with no authentication required. CVSS 9.8 (Critical) reflects network-based attack vector with low complexity and no privileges needed. No vendor-released patch identified at time of analysis.

Technical ContextAI

This is a CWE-78 OS command injection vulnerability in Totolink A7100RU router firmware. The CGI Handler component processes HTTP requests through /cgi-bin/cstecgi.cgi endpoint, specifically in the UploadOpenVpnCert function responsible for handling OpenVPN certificate uploads. The FileName parameter lacks proper input sanitization, allowing shell metacharacters to be passed directly to system command execution contexts. Affected product: Totolink A7100RU router (cpe:2.3:a:totolink:a7100ru) running firmware version 7.4cu.2313_b20191024 from October 2019. Command injection occurs when user-supplied data is concatenated into shell commands without escaping or validation, enabling arbitrary command execution under the privileges of the CGI process (typically root on embedded router systems).

RemediationAI

No vendor-released patch identified at time of analysis for this 2019 firmware version. Immediate mitigations: disable remote administrative access to router management interface from WAN/Internet side; restrict administrative access to trusted internal networks only via firewall rules or router WAN access controls; disable OpenVPN certificate upload functionality if not required. Long-term solution: replace affected Totolink A7100RU devices with actively supported router models from vendors with established security update programs. Monitor vendor advisories at https://www.totolink.net/ for potential firmware updates. For organizations requiring continued use: implement network segmentation placing IoT devices on isolated VLANs with restricted lateral movement capabilities, deploy intrusion detection systems monitoring for command injection patterns targeting /cgi-bin/cstecgi.cgi endpoint.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy