EUVD-2026-21272
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument lan_info can lead to os command injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Analysis
OS command injection in Totolink A7100RU 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via malicious lan_info parameter to setMiniuiHomeInfoShow function in /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity with network attack vector requiring no privileges or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify and inventory all Totolik A7100RU devices in production, isolate affected units from untrusted networks or disable WAN access until mitigation is confirmed. Within 7 days: Contact Totolik support to obtain firmware updates beyond version 7.4cu.2313_b20191024; if no patch is available, implement network segmentation to restrict CGI handler access (/cgi-bin/cstecgi.cgi) via firewall rules. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today