Description
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sambaEnabled results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-04-09
Score: 9.3 Critical
EPSS: 1.3% Low
KEV: No
Impact: Remote OS Command Execution via CGI
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in the setStorageCfg function of /cgi-bin/cstecgi.cgi on Totolink A7100RU routers. By manipulating the sambaEnabled argument, an attacker can execute arbitrary shell commands on the device, potentially taking full control of the router. This allows compromise of confidentiality, integrity, and availability of the network traffic processed by the device, and can serve as a foothold for further attacks on connected infrastructure.

Affected Systems

Totolink A7100RU routers running firmware 7.4cu.2313_b20191024 are affected. The flaw resides in the CGI Handler component of the firmware.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. No EPSS score is available, but the description confirms that a public exploit has been released and can be leveraged remotely via an HTTP request to cstecgi.cgi. The likely attack vector is remote through an HTTP request that manipulates the sambaEnabled parameter. Given the high severity and public availability of an exploit, the risk to any exposed device is significant and warrants immediate attention.

Generated by OpenCVE AI on April 9, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Totolink firmware update that patches the command injection vulnerability.

Generated by OpenCVE AI on April 9, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Thu, 09 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sambaEnabled results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.
Title Totolink A7100RU CGI cstecgi.cgi setStorageCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T20:21:31.141Z

Reserved: 2026-04-09T12:11:42.594Z

Link: CVE-2026-5976

cve-icon Vulnrichment

Updated: 2026-04-13T20:21:27.668Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T20:16:29.763

Modified: 2026-04-27T19:05:57.310

Link: CVE-2026-5976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:23Z

Weaknesses