Description
A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wifiOff leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Published: 2026-04-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the setWiFiGuestCfg function of the /cgi-bin/cstecgi.cgi CGI handler permits an attacker to inject operating‑system commands via the wifiOff argument. This OS command injection can lead to execution of arbitrary commands on the router, effectively providing the attacker with remote code execution capabilities. The vulnerability is associated with CWE-77 and CWE-78 and a publicly available exploit exists.

Affected Systems

The vulnerability affects Totolink A7100RU routers running firmware 7.4cu.2313_b20191024. Any device of this model with the specified firmware version is vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the attack is remote, allowing exploitation over the network. An exploit is publicly posted, increasing the likelihood of real‑world attacks. The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, but the combination of high CVSS, public exploit availability, and remote nature results in a high risk that demands prompt remediation.

Generated by OpenCVE AI on April 10, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Totolink that addresses the CGI handler vulnerability.
  • If a patch is not immediately available, disable or block access to the /cgi-bin/cstecgi.cgi endpoint or the guest WiFi configuration interface via router settings or network ACLs.
  • Restrict remote administration to trusted IP addresses or networks to reduce the attack surface.
  • Monitor router logs for unexpected use of the wifiOff parameter or signs of command execution attempts.

Generated by OpenCVE AI on April 10, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Fri, 10 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wifiOff leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.
Title Totolink A7100RU CGI cstecgi.cgi setWiFiGuestCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T00:15:14.223Z

Reserved: 2026-04-09T12:49:01.165Z

Link: CVE-2026-5993

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-10T01:16:41.743

Modified: 2026-04-10T01:16:41.743

Link: CVE-2026-5993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:20Z

Weaknesses