Description
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used.
Published: 2026-04-06
Score: 6.9 Medium
EPSS: 1.2% Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the setRemoteCfg function of /cgi-bin/cstecgi.cgi on Totolink A7100RU routers running firmware 7.4cu.2313_b20191024. Manipulating the enable argument allows an attacker to inject arbitrary OS commands, representing classic command injection weaknesses (CWE-77 and CWE-78). The flaw enables remote execution of system commands with the privileges of the router, potentially compromising the device and the network it manages.

Affected Systems

Devices affected are Totolink A7100RU routers supplied with firmware 7.4cu.2313_b20191024. No other vendors or products are listed in the CNA data.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity, and the EPSS score of <1% indicates a very low probability of exploitation. The vulnerability is not yet catalogued in CISA’s KEV list, but an exploit has been published. The flaw can be triggered remotely, presumably via HTTP requests to the setRemoteCfg endpoint, which can be automated and does not require authentication.

Generated by OpenCVE AI on April 21, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update for Totolink A7100RU that contains the OS command injection fix.
  • If a patch is not yet available, block or disable the cstecgi.cgi endpoint or remote configuration functionality.
  • Configure network firewall or router ACLs to restrict management interface access to trusted IPs or a VPN tunnel.
  • Monitor router logs for suspicious requests to cstecgi.cgi and investigate any anomalies.

Generated by OpenCVE AI on April 21, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used.
Title Totolink A7100RU cstecgi.cgi setRemoteCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T15:08:39.861Z

Reserved: 2026-04-06T10:27:02.415Z

Link: CVE-2026-5690

cve-icon Vulnrichment

Updated: 2026-04-07T14:34:54.530Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T23:16:31.563

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5690

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses