Primary

Context

Totolink A7100RU Command Injection Vulnerability in CGI Handler

Vulnerability

A command injection vulnerability has been identified in the Totolink A7100RU router, specifically in the 7.4cu.2313_b20191024 version. The issue arises in the CGI handler, within the 'setPptpServerCfg' function of the '/cgi-bin/cstecgi.cgi' file. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter in a crafted HTTP request. The injected commands are executed with root privileges, potentially compromising the router and the connected network.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution with root privileges on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'enable' parameter set to a command, such as 'wget' followed by a URL. The router will execute the command, demonstrating the command injection vulnerability.

Added: Apr 10, 2026, 7:49 AM

Updated: Apr 10, 2026, 7:49 AM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

9.1

remediation

0.0

relevance

5.6

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

7.5

exploitability

9.1

remediation

0.0

relevance

5.6

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totolink A7100RU Command Injection Vulnerability in CGI Handler

Vulnerability

Impact

Reproduction

Affected Products

Totolink A7100RU

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating