Description
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument merge results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-04-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Patch Immediately
AI Analysis

Impact

A firmware flaw in the Totolink A7100RU router allows an attacker to manipulate the merge argument of the setWiFiEasyCfg function within the /cgi-bin/cstecgi.cgi CGI handler. This manipulation results in operating‑system command injection, enabling an adversary to run arbitrary commands with the privileges of the router software.

Affected Systems

The vulnerability affects all Totolink A7100RU devices that are running firmware version 7.4cu.2313_b20191024. Devices with other firmware releases are not known to be impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high severity. An EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The attack vector is remote, relying on network access to the router’s web interface. Because the exploit is publicly available, an attacker can potentially achieve full control of the router if the vulnerability is not mitigated.

Generated by OpenCVE AI on April 9, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Totolink when it becomes available for the affected router model.
  • If an update is not yet released, restrict external access to the router’s web interface and block the /cgi-bin/cstecgi.cgi path at the perimeter firewall.
  • Continuously monitor for new advisories or patches from Totolink and apply them promptly.

Generated by OpenCVE AI on April 9, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Thu, 09 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument merge results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title Totolink A7100RU CGI cstecgi.cgi setWiFiEasyCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-09T13:15:25.316Z

Reserved: 2026-04-08T19:20:18.876Z

Link: CVE-2026-5854

cve-icon Vulnrichment

Updated: 2026-04-09T13:14:39.667Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T07:16:05.477

Modified: 2026-04-27T19:05:57.310

Link: CVE-2026-5854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:33:05Z

Weaknesses