Description
A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a remote attacker to inject operating system commands through the "enable" parameter of the /cgi-bin/cstecgi.cgi setLedCfg function. This exploitation can lead to full control of the device, compromising confidentiality, integrity, and availability of the affected router.

Affected Systems

The flaw is present in Totolink routers model A7100RU running firmware 7.4cu.2313_b20191024. Users of this firmware variant are directly exposed to the risk if the router is accessible from the network.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability poses a high severity risk. Although an EPSS score is not provided, the publicly disclosed exploit indicates that the issue is actively leveraged in the wild. The attack vector is remote, likely via an unauthenticated HTTP request to the CGI endpoint. The absence from the CISA KEV catalog does not diminish the need for immediate remediation.

Generated by OpenCVE AI on April 12, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch released by Totolink for the A7100RU that removes the command injection flaw.
  • If a patch is unavailable, block or restrict external access to the /cgi-bin/cstecgi.cgi endpoint using firewall or ACL rules.
  • Monitor router logs for unexpected or malformed "enable" parameter values that could indicate attempted exploitation.
  • Ensure the router is placed behind appropriate network segmentation and minimal exposure to the internet.

Generated by OpenCVE AI on April 12, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Sun, 12 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title Totolink A7100RU CGI cstecgi.cgi setLedCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T17:55:22.477Z

Reserved: 2026-04-12T07:11:28.188Z

Link: CVE-2026-6132

cve-icon Vulnrichment

Updated: 2026-04-13T17:55:16.595Z

cve-icon NVD

Status : Deferred

Published: 2026-04-12T23:16:25.917

Modified: 2026-04-27T19:05:57.310

Link: CVE-2026-6132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:56Z

Weaknesses