EUVD-2026-21749
GHSA-6469-mcff-f6m6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Analysis
OS command injection in Totolink A7100RU router firmware 7.4cu.2313_b20191024 allows unauthenticated remote attackers to execute arbitrary system commands via the 'enable' parameter in the setLedCfg function of /cgi-bin/cstecgi.cgi. Public exploit code exists (GitHub), making this vulnerability immediately weaponizable with CVSS 9.8 (Critical). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Totolik A7100RU devices on your network using asset inventory or network scanning tools; check firmware version via device management interface. Within 7 days: Isolate affected devices to a segregated management VLAN if firmware update is unavailable; implement network-level access controls restricting administrative interfaces to trusted IP ranges only; document inventory for vendor communication. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today