Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setNtpCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument tz results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used.
AnalysisAI
Remote code execution via OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated network attackers to execute arbitrary commands through the tz parameter in the setNtpCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists, and the vulnerability carries a CVSS 6.9 score indicating moderate severity with low impact across confidentiality, integrity, and availability.
Technical ContextAI
The vulnerability exploits improper input validation in a CGI script responsible for Network Time Protocol (NTP) configuration on a residential wireless router. The setNtpCfg function fails to sanitize the tz (timezone) parameter before passing it to shell command execution, enabling CWE-77 (Improper Neutralization of Special Elements used in a Command) exploitation. The affected product is a Totolink A7100RU WiFi router running firmware version 7.4cu.2313_b20191024. The attack leverages the router's web management interface, which exposes CGI endpoints without requiring authentication.
RemediationAI
Firmware patch availability from Totolink is not confirmed in available data. Users should immediately contact Totolink support or visit https://www.totolink.net/ to determine if a patched firmware version is available for the A7100RU. As an interim mitigation, restrict network access to the router's web management interface by disabling remote administration features, limiting access to the /cgi-bin/cstecgi.cgi endpoint via firewall rules, and ensuring the router is only accessible from trusted internal networks. If the router supports it, change default credentials and apply the latest available firmware release. Monitor Totolink's security advisories for patch releases.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19551