CVE-2026-6112: Totolink A7100RU Command Injection - PoC Available

Overview

A critical command injection vulnerability, CVE-2026-6112, affects the Totolink A7100RU router. The flaw resides in the setRadvdCfg function within the /cgi-bin/cstecgi.cgi CGI handler. Attackers can exploit this by sending a specially crafted network request containing malicious commands in the maxRtrAdvInterval argument, leading to full remote code execution on the device.

Technical Details

The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL). Its vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning it can be exploited remotely over the network with low attack complexity, requires no privileges or user interaction, and leads to a complete compromise of confidentiality, integrity, and availability. The specific affected firmware version is 7.4cu.2313_b20191024. A proof-of-concept (PoC) exploit demonstrating the command injection has been made publicly available, significantly increasing the risk of weaponization.

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands on the router with root privileges. This can lead to a complete takeover of the device, enabling attackers to steal sensitive network traffic, deploy malware, create a persistent backdoor, or pivot to attack other devices on the internal network. Given the public PoC, organizations and individuals using the affected firmware should treat this as an imminent threat.

Remediation and Mitigation

The primary remediation is to apply a firmware update from Totolink. Users should immediately check the vendor’s official support portal for a patched version of the firmware for the A7100RU model and upgrade without delay.

If a patch is not immediately available, the following mitigation steps are critical:

• Restrict access to the router’s web management interface. Ensure it is not exposed to the public internet. Use firewall rules to limit access to the administrative interface from trusted internal IP addresses only.
• Monitor network traffic for unusual outbound connections or unexpected processes running on the router, as these could indicate compromise. For more on tracking threats, review our security news section.

Security Insight

This vulnerability is a stark reminder of the persistent security challenges in consumer and SOHO network equipment, where web-facing CGI scripts often lack robust input sanitization. It echoes past incidents in other router brands where command injection via CGI parameters led to widespread botnet recruitment. The public availability of a working exploit for such a high-severity flaw places the onus entirely on the vendor to provide a timely, accessible patch and on users to proactively apply it.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs