Skip to main content

A7100Ru CVE-2026-6140

| EUVDEUVD-2026-21766 HIGH
OS Command Injection (CWE-78)
2026-04-13 VulDB GHSA-qq79-56j7-gmq4
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 13, 2026 - 01:22 NVD
CRITICAL HIGH
CVSS changed
Apr 13, 2026 - 01:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 13, 2026 - 01:18 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 01:15 euvd
EUVD-2026-21766
Analysis Generated
Apr 13, 2026 - 01:15 vuln.today
CVE Published
Apr 13, 2026 - 00:30 nvd
HIGH 8.9

DescriptionCVE.org

A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument FileName results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.

AnalysisAI

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via crafted FileName parameter to the UploadFirmwareFile function in /cgi-bin/cstecgi.cgi. CVSS 9.8 (Critical) with network attack vector, no privileges required, and complete system compromise possible. Publicly available exploit code exists (GitHub POC). No vendor-released patch identified at time of analysis. EPSS data not provided, but combination of critical CVSS, unauthenticated remote vector, and public exploit indicates high real-world exploitation risk.

Technical ContextAI

This vulnerability affects the CGI handler component of Totolink A7100RU wireless router firmware, specifically the UploadFirmwareFile function invoked through the /cgi-bin/cstecgi.cgi endpoint. The root cause is CWE-78 (OS Command Injection), occurring when the application fails to properly sanitize the FileName parameter before passing it to system shell commands. When processing firmware upload requests, the CGI handler likely constructs shell commands using attacker-controlled input without adequate validation or escaping. This allows injection of shell metacharacters or command separators that break out of the intended command context and execute arbitrary OS commands with the privileges of the web server process, typically running as root on embedded router platforms. The affected product is identified by CPE cpe:2.3:a:totolink:a7100ru:*:*:*:*:*:*:*:*, specifically version 7.4cu.2313_b20191024 released October 24, 2019.

RemediationAI

No vendor-released patch identified at time of analysis for Totolink A7100RU firmware 7.4cu.2313_b20191024. Users should immediately check the official Totolink support site (https://www.totolink.net/) for updated firmware releases that address this command injection vulnerability. As interim mitigation, disable remote administration access to the router's web interface, restrict management access to trusted internal IP addresses only via firewall rules or access control lists, and place the device behind additional network segmentation if possible. Consider replacing the affected device with alternative hardware if vendor support is discontinued or patches remain unavailable. Monitor network traffic for suspicious requests to /cgi-bin/cstecgi.cgi endpoint and implement intrusion detection signatures to detect exploitation attempts. Detailed technical analysis and exploit proof-of-concept are documented at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_193/README.md and additional vulnerability intelligence available at https://vuldb.com/vuln/357004.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy