EUVD-2026-21764CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Analysis
OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the FileName parameter in UploadOpenVpnCert function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC on GitHub), enabling trivial exploitation with no authentication required. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Totolik A7100RU devices in your network and verify firmware version (7.4cu.2313_b20191024). Within 7 days: Contact Totolink for available firmware updates and test in a non-production environment; implement network-level access controls to restrict unauthenticated access to /cgi-bin/cstecgi.cgi from untrusted networks. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today