Volerion logoVolerion
Volerion logoVolerion

Totolink A7100RU Command Injection Vulnerability in CGI Handler

Vulnerability

A command injection vulnerability has been identified in the Totolink A7100RU router running version 7.4cu.2313_b20191024. The issue resides in the CGI handler, specifically within the 'setLedCfg' function of the '/cgi-bin/cstecgi.cgi' file. This vulnerability allows remote attackers to execute arbitrary operating system commands by manipulating the 'enable' parameter in a crafted HTTP request. The injected commands are executed with root privileges on the device, potentially compromising the entire router and the connected network.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution with root privileges on the affected router.

Reproduction

To reproduce this vulnerability, send a POST request to '/cgi-bin/cstecgi.cgi' with the 'enable' parameter set to a command payload, such as a 'wget' command. The router will execute the injected command, demonstrating the command injection vulnerability.

Added: Apr 12, 2026, 11:19 PM
Updated: Apr 12, 2026, 11:19 PM

Vulnerability Rating

Custom Algorithm
spread
2.6
impact
7.5
exploitability
9.1
remediation
7.7
relevance
5.7
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.