Second Critical Command Injection Found in TOTOLINK A7100RU Firmware
TOTOLINK A7100RU routers running firmware 7.4cu.2313_b20191024 are affected by a second critical OS command injection vulnerability, tracked as CVE-2026-5978, disclosed on April 9, 2026 — the same day as the closely related CVE-2026-5977. This flaw affects the setWiFiAclRules function in /cgi-bin/cstecgi.cgi, where the mode argument is passed unsanitized to a shell command, enabling unauthenticated remote attackers to execute arbitrary OS commands.
The vulnerability carries a CVSS v3.1 score of 9.8 (Critical). Like CVE-2026-5977, it requires no authentication, no user interaction, and is exploitable entirely over the network.
The concurrent disclosure of two near-identical command injection flaws in the same firmware binary reflects a systemic pattern in how this router's CGI handler processes user input — and suggests additional vulnerabilities may be present in other handler functions.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5978 |
| CVSS Score | 9.8 (Critical) |
| Affected Product | TOTOLINK A7100RU |
| Affected Firmware | 7.4cu.2313_b20191024 |
| Vulnerable Function | setWiFiAclRules |
| Vulnerable Endpoint | /cgi-bin/cstecgi.cgi |
| Attack Vector | Network |
| Authentication Required | None |
| User Interaction | None |
| Disclosure Date | April 9, 2026 |
| Patch Available | No |
Technical Analysis
Root Cause
The setWiFiAclRules function handles Wi-Fi ACL (Access Control List) configuration via the CGI handler. The mode parameter is a user-supplied value that controls ACL rule behavior. The implementation passes this value directly into a shell command without sanitizing or escaping shell metacharacters, enabling command injection.
Attack Scenario
An attacker with network access to the management interface sends a crafted POST request to inject arbitrary commands via the mode argument:
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded
action=setWiFiAclRules&mode=0;id>/tmp/pwned;The injected semicolons terminate the intended command and introduce attacker-controlled shell statements. On typical TOTOLINK devices, the CGI process runs with root privileges, giving the attacker full control of the device.
Relationship to CVE-2026-5977
CVE-2026-5977 and CVE-2026-5978 were disclosed simultaneously and affect the same firmware version. Both follow an identical vulnerability pattern — a CGI handler function that fails to sanitize user input before constructing shell commands. This suggests the vulnerability is not isolated to individual functions but reflects a systemic absence of input validation across the router's CGI handler codebase.
Security teams should assume that other CGI handler functions in the same firmware may be similarly vulnerable.
Impact
Successful exploitation of CVE-2026-5978 allows an attacker to:
- Execute arbitrary commands as root on the router
- Gain persistent access to the device
- Reconfigure ACL rules to allow unauthorized wireless clients
- Pivot into devices on the LAN side of the router
- Use the router as a C2 relay or botnet node
- Intercept or redirect network traffic
Affected Products
| Product | Firmware | Status |
|---|---|---|
| TOTOLINK A7100RU | 7.4cu.2313_b20191024 | Vulnerable — No patch |
| Other TOTOLINK models | Various | Unknown — verify separately |
Remediation
No Official Patch Available
As of April 9, 2026, TOTOLINK has not released a firmware update addressing CVE-2026-5978 or the concurrent CVE-2026-5977. No vendor security advisory has been published.
Interim Mitigations
1. Disable remote management
Prevent external access to the router's web interface from the WAN:
- Log in to the router admin panel
- Disable Remote Management (often under Advanced settings)
- Restrict access to the LAN interface only
2. Block management ports at the perimeter
Use an upstream firewall or modem to block inbound access to ports 80 and 8080 (and any other ports the router's web interface listens on).
3. Network segmentation
Isolate the TOTOLINK router and any LAN clients on a separate network segment. This limits what an attacker can reach if the router is compromised.
4. Evaluate device replacement
Given the concurrent disclosure of two critical vulnerabilities with no patch, and TOTOLINK's history of unpatched security issues, organizations relying on A7100RU devices should plan to replace them with supported hardware from vendors with an active security response program.
5. Continuous monitoring
If replacing the device is not immediately possible, monitor for signs of exploitation:
- Unexpected outbound traffic from the router's IP
- Unauthorized changes to Wi-Fi ACL rules
- DNS or routing configuration changes not made by an administrator
Context: TOTOLINK Security Track Record
TOTOLINK has a long history of critical vulnerabilities disclosed with no corresponding vendor patches. Multiple models have been affected by OS command injection, authentication bypass, and buffer overflow vulnerabilities in their CGI handlers. Devices running end-of-life firmware versions are particularly at risk, as TOTOLINK does not maintain a public security advisory program or provide consistent patch timelines for older hardware.
See also: CVE-2026-5977 — a sibling command injection vulnerability in the same firmware via the setWiFiBasicCfg function's wifiOff argument.