CVE-2026-6116: Totolink A7100RU Command Injection - PoC Available

Overview

A critical vulnerability, CVE-2026-6116, has been disclosed in the Totolink A7100RU router, firmware version 7.4cu.2313_b20191024. The flaw is an operating system command injection within the device’s web management interface, allowing a remote attacker to execute arbitrary commands on the affected device with no authentication required.

Vulnerability Details

The vulnerability resides in the setDiagnosisCfg function of the /cgi-bin/cstecgi.cgi component, which handles Common Gateway Interface (CGI) requests. This function improperly processes user-supplied input in the ip parameter. By sending a specially crafted network request containing malicious commands within this parameter, an attacker can bypass intended restrictions and execute those commands directly on the router’s underlying operating system.

The public disclosure includes a proof-of-concept (PoC) exploit, demonstrating that remote exploitation is feasible. The high CVSS score of 9.8 reflects the worst-case scenario: an attack can be launched over the network with low complexity, requiring no privileges and no user interaction.

Impact

Successful exploitation grants an attacker complete control over the vulnerable router. This can lead to a full compromise of the local network, including intercepting or modifying internet traffic, stealing credentials, using the router as a pivot point to attack other internal devices, or enrolling the device into a botnet for further malicious activity. Given the public PoC, the risk of widespread exploitation attempts is significant.

Remediation and Mitigation

The primary remediation is to apply a firmware update from Totolink. Administrators should immediately check the vendor’s official support portal for a patched version of the firmware for the A7100RU model and upgrade all affected devices.

If a patch is not immediately available, consider the following mitigation strategies:

• Isolate Devices: Restrict network access to the router’s web management interface (typically ports 80/443) to only trusted administrative networks. Do not expose this interface to the internet.
• Monitor Logs: Increase monitoring of network traffic destined for the router’s IP address, looking for anomalous requests to the /cgi-bin/cstecgi.cgi path.
• Consider Replacement: For devices that are no longer supported by the vendor with security updates, replacement with a supported model should be planned.

For the latest updates on emerging threats, monitor our security news feed.

Security Insight

This vulnerability is a stark reminder of the persistent security challenges in consumer and SOHO network equipment, where CGI-based administration interfaces are a common attack surface. Similar command injection flaws in routers from other vendors have historically led to large-scale botnet recruitment. The public availability of a working PoC for CVE-2026-6116 will likely accelerate exploit integration into automated attack frameworks, placing unpatched devices at immediate risk.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs