CVE-2026-6114 - Vulnerability Details

- Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection

Description

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.

Published: 2026-04-12

Score: 9.3 Critical

EPSS: 1.2% Low

KEV: No

Impact:

Action:

Analysis

Impact

The setNetworkCfg function in /cgi-bin/cstecgi.cgi of the A7100RU firmware accepts a proto parameter that can be manipulated to trigger an OS command injection. This flaw allows remote attackers to execute arbitrary system commands on the router, giving them full control of the device’s operating system. The vulnerability directly compromises the confidentiality, integrity and availability of the router itself.

Affected Systems

The vulnerability affects the Totolink A7100RU router with firmware version 7.4cu.2313_b20191024; no other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 9.3 marks this as a critical issue. The attack vector is remote, as a crafted HTTP request to cstecgi.cgi can trigger the flaw. The public availability of exploit code suggests a higher likelihood of exploitation, though the exact probability is not quantified in the data provided. The device is commonly exposed to the internet, making it a prime target for attackers seeking to compromise consumer routers. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Totolink

A7100RU

affected

Version	Status	Constraints
`7.4cu.2313_b20191024`	affected	—

No data.

Vendor Product Confidence Versions

Totolink

A7100ru

100%

Version	Status	Scheme	Platform
`7.4cu.2313_b20191024`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update released by Totolink for the A7100RU router that addresses this vulnerability
If no update is available, block external access to the router’s web management interface or disable it entirely
Restrict router management access to trusted internal networks or enforce VPN‑only access
Monitor router logs and network traffic for signs of unusual command execution or outbound activity
Check for further vendor advisories and apply patches as soon as they are released

Generated by OpenCVE AI on April 12, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.01221.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md
https://vuldb.com/submit/792247
https://vuldb.com/vuln/356974
https://vuldb.com/vuln/356974/cti
https://www.totolink.net/

History

Tue, 14 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Totolink a7100ru
Vendors & Products		Totolink a7100ru

Sun, 12 Apr 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.
Title		Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection
First Time appeared		Totolink Totolink a7100ru Firmware
Weaknesses		CWE-77 CWE-78
CPEs		cpe:2.3:o:totolink:a7100ru_firmware::::::::
Vendors & Products		Totolink Totolink a7100ru Firmware
References		https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md https://vuldb.com/submit/792247 https://vuldb.com/vuln/356974 https://vuldb.com/vuln/356974/cti https://www.totolink.net/
Metrics		cvssV2_0 `{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Totolink A7100ru A7100ru Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-12T03:30:16.504Z

Updated: 2026-04-14T16:33:32.690Z

Reserved: 2026-04-11T08:18:08.440Z

Link: CVE-2026-6114

Vulnrichment

Updated: 2026-04-14T15:17:56.752Z

NVD

Status : Deferred

Published: 2026-04-12T04:16:49.267

Modified: 2026-04-27T19:05:57.310

Link: CVE-2026-6114

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T12:56:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object