Description
A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
Published: 2026-04-12
Score: 9.3 Critical
EPSS: 1.2% Low
KEV: No
Impact: Remote Command Execution via OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

The function setTracerouteCfg in /cgi-bin/cstecgi.cgi can be manipulated to inject arbitrary operating system commands, resulting in remote code execution. This flaw maps to CWE-77 and CWE-78 and allows an attacker to compromise confidentiality, integrity, and availability of the device and the network.

Affected Systems

The vulnerability affects Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. No other vendors or products are listed in the CVE record.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, but an EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Public exploit code has been released and the attack vector is remote, enabling attackers to trigger the injection from outside the local network without prior authentication.

Generated by OpenCVE AI on April 12, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an up‑to‑date firmware upgrade that removes the vulnerable cstecgi.cgi entry; check Totolink’s support website for the latest A7100RU firmware.
  • If a patch is not yet available, block remote access to /cgi-bin/cstecgi.cgi or disable traceroute configuration functionality via the router’s web interface.
  • Monitor the router’s access logs for repeated attempts to send command parameters to setTracerouteCfg and investigate any suspicious activity.

Generated by OpenCVE AI on April 12, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Sun, 12 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.
Title Totolink A7100RU CGI cstecgi.cgi setTracerouteCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T16:33:00.472Z

Reserved: 2026-04-12T07:11:24.309Z

Link: CVE-2026-6131

cve-icon Vulnrichment

Updated: 2026-04-14T15:19:22.319Z

cve-icon NVD

Status : Deferred

Published: 2026-04-12T23:16:25.700

Modified: 2026-04-27T19:05:57.310

Link: CVE-2026-6131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:57Z

Weaknesses