Description
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-04-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection in the setUrlFilterRules function of the /cgi-bin/cstecgi.cgi CGI handler. By manipulating the enable argument, an unauthenticated attacker can execute arbitrary shell commands on the device. This gives the attacker full control of the router, enabling compromise of confidentiality, integrity, and availability of the surrounding network.

Affected Systems

The flaw exists in Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. Only this specific build is affected; other firmware revisions are not impacted.

Risk and Exploitability

The CVSS base score of 9.3 indicates critical severity, and the lack of mitigation in the public domain means attackers could exploit the flaw remotely without authentication. The exploit is publicly available, suggesting a high likelihood of real-world attacks. The vulnerability is not listed in the CISA KEV catalog, but the remote nature and high impact still warrant urgent remediation.

Generated by OpenCVE AI on April 10, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Totolink that addresses the command injection in cstecgi.cgi.
  • If a patch is not yet released, block external access to the /cgi-bin/cstecgi.cgi endpoint using a firewall or ACL.
  • Segment the network so that the router is isolated from critical internal hosts.
  • Enable logging and monitor for suspicious CGI activity.
  • Check the Totolink website or vendor support for additional advisory information.

Generated by OpenCVE AI on April 10, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Fri, 10 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title Totolink A7100RU CGI cstecgi.cgi setUrlFilterRules os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-10T06:00:22.402Z

Reserved: 2026-04-09T15:55:23.724Z

Link: CVE-2026-6027

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-10T07:16:21.583

Modified: 2026-04-10T07:16:21.583

Link: CVE-2026-6027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:35Z

Weaknesses