CVE-2026-6025
Received Received - Intake
OS Command Injection in Totolink A7100RU CGI Handler Enables Remote Exploit

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: VulDB

Description
A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6025
EUVD
EUVD-2026-21314
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
totolink a7100ru 7.4cu.2313_b20191024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected router without any authentication.

Successful exploitation can lead to full compromise of the router, enabling attackers to control network traffic, intercept data, deploy malware, or use the device as a foothold for further attacks within the network.

Because the exploit is publicly available, the risk of attack is high.

Executive Summary

CVE-2026-6025 is a command injection vulnerability in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It occurs in the CGI Handler component, specifically in the setSyslogCfg function of the /cgi-bin/cstecgi.cgi file.

The vulnerability arises because the user-supplied "enable" parameter is passed to a function that formats it into a buffer and then executes it as an OS command. This allows an attacker to inject arbitrary commands that the router will execute.

An attacker can exploit this remotely by sending a crafted HTTP POST request with a malicious "enable" value, causing the router to run the injected command.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests sent to the /cgi-bin/cstecgi.cgi endpoint on the Totolink A7100RU router. Specifically, look for JSON payloads containing the "enable" parameter with unusual or command-like values.

A practical detection method is to capture network traffic and search for POST requests targeting /cgi-bin/cstecgi.cgi with payloads that include commands such as wget or other shell commands.

Example command to detect such attempts using tcpdump:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/cstecgi.cgi'

Alternatively, use tools like Wireshark to filter HTTP POST requests to /cgi-bin/cstecgi.cgi and inspect the payload for suspicious "enable" parameter values.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable router's management interface to trusted networks only, such as limiting access via firewall rules or network segmentation.

Disable remote management features if not required, to prevent remote exploitation.

Monitor network traffic for exploitation attempts and block suspicious IP addresses.

If available, update the router firmware to a version that patches this vulnerability.

As a temporary workaround, consider implementing web application firewall (WAF) rules to block HTTP POST requests containing suspicious "enable" parameter values targeting /cgi-bin/cstecgi.cgi.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6025. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart