CVE-2026-6195
Totolink · A7100RU
The Totolink A7100RU router contains an OS command injection vulnerability in the setPasswordCfg function, allowing remote unauthenticated attackers to execute arbitrary commands.
Executive summary
A critical OS command injection vulnerability in the Totolink A7100RU router enables remote unauthenticated attackers to execute arbitrary system commands, posing a severe risk of full device compromise.
Vulnerability
This vulnerability exists in the /cgi-bin/cstecgi.cgi file within the CGI handler, where the admpass argument is improperly sanitized. Unauthenticated remote attackers can leverage this flaw to inject and execute system-level commands via the setPasswordCfg function.
Business impact
The CVSS score of 9.8 reflects the critical nature of this flaw, as it allows for full remote system compromise without authentication. Successful exploitation could lead to total loss of device integrity, unauthorized access to network traffic, and the potential use of the device as a pivot point for lateral movement within the internal network.
Remediation
Immediate Action: Contact the vendor for the latest firmware release or consider isolating the affected device from the public internet immediately.
Proactive Monitoring: Review web access logs for suspicious requests directed at /cgi-bin/cstecgi.cgi, particularly those containing shell metacharacters.
Compensating Controls: Implement strict firewall rules to restrict access to the device management interface to trusted administrative IP addresses only.
Exploitation status
Public Exploit Available: Yes
Analyst recommendation
Due to the critical severity and the existence of public exploit code, this vulnerability represents an imminent threat. Administrators must prioritize updating the firmware or, if no patch is available, moving the device behind a secure VPN or firewall to prevent unauthorized remote access.