Skip to main content

A7100Ru EUVDEUVD-2026-21706

| CVE-2026-6115 HIGH
OS Command Injection (CWE-78)
2026-04-12 VulDB
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
PoC Detected
Apr 27, 2026 - 19:05 vuln.today
Public exploit code
Severity Changed
Apr 12, 2026 - 05:22 NVD
CRITICAL HIGH
CVSS changed
Apr 12, 2026 - 05:22 NVD
9.8 (CRITICAL) 8.9 (HIGH)
Analysis Generated
Apr 12, 2026 - 05:05 vuln.today
EUVD ID Assigned
Apr 12, 2026 - 05:00 euvd
EUVD-2026-21706
Analysis Generated
Apr 12, 2026 - 05:00 vuln.today
CVE Published
Apr 12, 2026 - 04:00 nvd
HIGH 8.9

DescriptionCVE.org

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used.

AnalysisAI

OS command injection in Totolink A7100RU router firmware (version 7.4cu.2313_b20191024) allows unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setAppCfg function of /cgi-bin/cstecgi.cgi. CVSS 9.8 critical severity with network attack vector, low complexity, and no authentication required. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no CISA KEV listing indicates targeted campaigns have not been observed at time of analysis.

Technical ContextAI

This vulnerability affects the CGI (Common Gateway Interface) handler in Totolink A7100RU wireless router firmware, specifically within the setAppCfg function accessible via /cgi-bin/cstecgi.cgi endpoint. The root cause is CWE-78 (OS Command Injection), where user-supplied input to the 'enable' parameter is not properly sanitized before being passed to system shell commands. CGI scripts in embedded device firmware frequently suffer from insufficient input validation when interfacing between web requests and underlying Linux system calls. The affected product (CPE 2.3:a:totolink:a7100ru) is a consumer-grade wireless router, and the vulnerable firmware version 7.4cu.2313_b20191024 was released in October 2019. Command injection flaws in router administration interfaces are particularly severe because they grant attackers direct system-level access to the device's operating system, bypassing application-layer controls entirely.

RemediationAI

No vendor-released patch identified at time of analysis from available reference data. Organizations using Totolink A7100RU routers should immediately check the vendor website at https://www.totolink.net/ and contact Totolink technical support directly to inquire about patched firmware releases addressing CVE-2026-6115. As immediate risk mitigation, restrict network access to the router's administrative interface (/cgi-bin/ endpoints) to trusted management networks only, blocking internet-facing access via firewall rules or disabling remote administration features entirely. Implement network segmentation to isolate affected routers from critical infrastructure. Monitor for unusual outbound connections or system command execution patterns. Given the age of the vulnerable firmware (October 2019) and typical end-of-life cycles for consumer networking equipment, organizations should evaluate replacing affected devices with current-generation routers from vendors with stronger security update commitments. Review VulDB advisory at https://vuldb.com/vuln/356975 and the public exploit repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_180/README.md to understand specific attack patterns for detection signature development.

CVE-2026-6195 HIGH POC
8.9 Apr 13

Command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to ex

CVE-2026-6156 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6155 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313 allows unauthenticated remote attackers to execute a

CVE-2026-6154 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6140 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6139 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execut

CVE-2026-6138 HIGH POC
8.9 Apr 13

OS command injection in Totolink A7100RU router firmware version 7.4cu.2313_b20191024 allows unauthenticated remote atta

CVE-2026-6132 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6131 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6116 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6114 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

CVE-2026-6113 HIGH POC
8.9 Apr 12

OS command injection in Totolink A7100RU router version 7.4cu.2313_b20191024 allows unauthenticated remote attackers to

Share

EUVD-2026-21706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy