CVE-2026-6139: Totolink A7100RU Command Injection - PoC Available

Patch now - CVE-2026-6139 is a critical command injection in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024 that grants unauthenticated remote code execution as root. Apply the official patch from Totolink as soon as it becomes available.

Overview

A critical command injection vulnerability, CVE-2026-6139, affects the Totolink A7100RU router. The flaw resides in the UploadOpenVpnCert function within the /cgi-bin/cstecgi.cgi CGI handler. By manipulating the FileName argument, a remote, unauthenticated attacker can inject and execute arbitrary operating system commands on the device.

Technical Details

The vulnerability has a CVSS v3.1 score of 9.8 (CRITICAL). Its vector is entirely network-based (AV:N), requires no special conditions to exploit (AC:L), needs no privileges (PR:N), and demands no user interaction (UI:N). This makes the router exploitable from the internet with minimal effort. A public proof-of-concept (PoC) exploit has been disclosed, demonstrating the attack’s feasibility.

Impact

Successful exploitation grants an attacker complete control over the affected router. This can lead to a full compromise of the local network, including interception or modification of all traffic passing through the device, installation of persistent malware, and use of the router as a launch point for attacks against internal systems. Given the public PoC, the risk of widespread exploitation is high.

Remediation and Mitigation

Totolink has not released an official patch at the time of this advisory. Users of the A7100RU router with firmware version 7.4cu.2313_b20191024 must take immediate action.

1. Check Firmware: Log into your router’s web administration panel and verify the installed firmware version.
2. Apply Updates: Routinely check the official Totolink support website for a security update addressing CVE-2026-6139 and apply it immediately upon release.
3. Network Segmentation: If patching is delayed, consider isolating the router on its own network segment to limit potential lateral movement in case of compromise.
4. Access Control: Ensure the router’s administrative interface is not exposed to the public internet. For more on securing network infrastructure, review our latest security news.

Until a patch is available, the primary mitigation is to restrict WAN-side access to the device’s management interface.

Security Insight

This vulnerability underscores the persistent security challenges in consumer and SOHO network equipment, where CGI-based administration interfaces are a frequent source of command injection flaws. It mirrors historical incidents in other router brands, highlighting a pattern where basic input sanitization failures in web-facing components lead to catastrophic network compromise. The public availability of a PoC for a flaw with such a high CVSS score will likely accelerate exploit development, placing unpatched devices at significant risk.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs