CVE-2026-6139: Totolink A7100RU Command Injection - PoC Available
CVE-2026-6139
A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of...
Overview
A critical command injection vulnerability, CVE-2026-6139, affects the Totolink A7100RU router. The flaw resides in the UploadOpenVpnCert function within the /cgi-bin/cstecgi.cgi CGI handler. By manipulating the FileName argument, a remote, unauthenticated attacker can inject and execute arbitrary operating system commands on the device.
Technical Details
The vulnerability has a CVSS v3.1 score of 9.8 (CRITICAL). Its vector is entirely network-based (AV:N), requires no special conditions to exploit (AC:L), needs no privileges (PR:N), and demands no user interaction (UI:N). This makes the router exploitable from the internet with minimal effort. A public proof-of-concept (PoC) exploit has been disclosed, demonstrating the attack’s feasibility.
Impact
Successful exploitation grants an attacker complete control over the affected router. This can lead to a full compromise of the local network, including interception or modification of all traffic passing through the device, installation of persistent malware, and use of the router as a launch point for attacks against internal systems. Given the public PoC, the risk of widespread exploitation is high.
Remediation and Mitigation
Totolink has not released an official patch at the time of this advisory. Users of the A7100RU router with firmware version 7.4cu.2313_b20191024 must take immediate action.
- Check Firmware: Log into your router’s web administration panel and verify the installed firmware version.
- Apply Updates: Routinely check the official Totolink support website for a security update addressing CVE-2026-6139 and apply it immediately upon release.
- Network Segmentation: If patching is delayed, consider isolating the router on its own network segment to limit potential lateral movement in case of compromise.
- Access Control: Ensure the router’s administrative interface is not exposed to the public internet. For more on securing network infrastructure, review our latest security news.
Until a patch is available, the primary mitigation is to restrict WAN-side access to the device’s management interface.
Security Insight
This vulnerability underscores the persistent security challenges in consumer and SOHO network equipment, where CGI-based administration interfaces are a frequent source of command injection flaws. It mirrors historical incidents in other router brands, highlighting a pattern where basic input sanitization failures in web-facing components lead to catastrophic network compromise. The public availability of a PoC for a flaw with such a high CVSS score will likely accelerate exploit development, placing unpatched devices at significant risk.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the ar...
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTtyServiceCfg of the file /cgi-bin/cstecgi.cgi of the component C...
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a ...
A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argum...