Primary

Context

Totolink A7100RU Command Injection Vulnerability

Vulnerability

A command injection vulnerability has been identified in the Totolink A7100RU router, specifically in the 7.4cu.2313_b20191024 version. The issue arises in the web management interface's CGI handler, '/cgi-bin/cstecgi.cgi', within the 'setFirewallType' function. The vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'firewallType' parameter. The injected commands are executed with root privileges, potentially compromising the router and the connected network.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution with root privileges on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'firewallType' parameter set to a crafted command, such as 'wget' followed by a URL. The router will execute the command, demonstrating the command injection flaw.

Added: Apr 6, 2026, 11:18 PM

Updated: Apr 6, 2026, 11:18 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

9.1

remediation

0.0

relevance

5.4

threat

6.5

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

9.1

remediation

0.0

relevance

5.4

threat

6.5

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totolink A7100RU Command Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Totolink A7100RU

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating