Skip to main content

A7100Ru CVE-2026-6155

| EUVDEUVD-2026-21810 HIGH
OS Command Injection (CWE-78)
2026-04-13 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Analysis Generated
Apr 13, 2026 - 04:24 vuln.today
Severity Changed
Apr 13, 2026 - 04:22 NVD
CRITICAL HIGH
CVSS changed
Apr 13, 2026 - 04:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 04:15 euvd
EUVD-2026-21810
Analysis Generated
Apr 13, 2026 - 04:15 vuln.today
CVE Published
Apr 13, 2026 - 03:15 nvd
HIGH 8.9

DescriptionCVE.org

A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument pppoeServiceName can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute arbitrary system commands via the pppoeServiceName parameter in the setWanCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (GitHub POC), enabling trivial remote compromise with high impact on confidentiality, integrity, and availability. CVSS 8.9 (Critical) with network attack vector, low complexity, and no authentication required. SOHO router vulnerabilities like this are commonly targeted for botnet recruitment and lateral network movement.

Technical ContextAI

This vulnerability (CWE-78: OS Command Injection) resides in the CGI handler component of Totolink A7100RU wireless router firmware, specifically affecting version 7.4cu.2313 (CPE: cpe:2.3:a:totolink:a7100ru). The setWanCfg function in /cgi-bin/cstecgi.cgi fails to properly sanitize the pppoeServiceName parameter before passing it to system shell execution contexts. PPPoE (Point-to-Point Protocol over Ethernet) service name configuration is a WAN setup feature exposed through the web management interface. When user-supplied input containing shell metacharacters reaches underlying OS calls without validation, attackers can inject arbitrary commands that execute with the privileges of the web server process, typically root on embedded router platforms. CGI-based router interfaces are legacy web architectures common in consumer networking devices, often lacking modern input validation frameworks.

RemediationAI

No vendor-released patch identified at time of analysis. Totolink has not published security advisories or firmware updates addressing CVE-2026-6155 per available references. Immediate mitigations: disable remote management interface access from WAN (ensure administration is LAN-only), implement network segmentation to isolate IoT/router management traffic, deploy firewall rules blocking external access to TCP ports 80/443 on router WAN interface. Long-term: replace affected device with actively maintained router hardware from vendors with established security update programs, or monitor Totolink vendor site (https://www.totolink.net/) and VulDB advisory (https://vuldb.com/vuln/357035) for future patch availability. Consider this device end-of-security-life if no patch emerges within 90 days.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6115 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote at

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

CVE-2026-6155 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy