Description
A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-12
Score: 9.3 Critical
EPSS: 2.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a remote attacker to inject operating system commands through the "enable" parameter of the /cgi-bin/cstecgi.cgi setLedCfg function. This exploitation can lead to full control of the device, compromising confidentiality, integrity, and availability of the affected router.

Affected Systems

The flaw is present in Totolink routers model A7100RU running firmware 7.4cu.2313_b20191024. Users of this firmware variant are directly exposed to the risk if the router is accessible from the network.

Risk and Exploitability

With a CVSS score of 9.3, the vulnerability poses a high severity risk. The EPSS score of 2% indicates a low probability of exploitation, but the publicly disclosed exploit indicates that the issue may be actively leveraged in the wild. The attack vector is remote, likely via an unauthenticated HTTP request to the CGI endpoint. The absence from the CISA KEV catalog does not diminish the need for immediate remediation.

Generated by OpenCVE AI on June 18, 2026 at 09:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch released by Totolink for the A7100RU that removes the command injection flaw.
  • If a patch is unavailable, block or restrict external access to the /cgi-bin/cstecgi.cgi endpoint using firewall or ACL rules.
  • Monitor router logs for unexpected or malformed "enable" parameter values that could indicate attempted exploitation.
  • Ensure the router is placed behind appropriate network segmentation and minimal exposure to the internet.

Generated by OpenCVE AI on June 18, 2026 at 09:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Totolink a7100ru
Vendors & Products Totolink a7100ru

Sun, 12 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
Title Totolink A7100RU CGI cstecgi.cgi setLedCfg os command injection
First Time appeared Totolink
Totolink a7100ru Firmware
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:o:totolink:a7100ru_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink a7100ru Firmware
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Totolink A7100ru A7100ru Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-13T17:55:22.477Z

Reserved: 2026-04-12T07:11:28.188Z

Link: CVE-2026-6132

cve-icon Vulnrichment

Updated: 2026-04-13T17:55:16.595Z

cve-icon NVD

Status : Deferred

Published: 2026-04-12T23:16:25.917

Modified: 2026-06-17T11:00:21.533

Link: CVE-2026-6132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:30:15Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')