Overview
CVE-2026-6112 is a critical-severity OS command injection vulnerability discovered in the Totolink A7100RU wireless router running firmware version 7.4cu.2313_b20191024. The flaw resides in the setRadvdCfg function within the /cgi-bin/cstecgi.cgi CGI handler and can be triggered remotely without authentication.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-6112 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None required |
| Published | 2026-04-12 |
| Affected Product | Totolink A7100RU 7.4cu.2313_b20191024 |
Vulnerability Details
The vulnerability exists in the setRadvdCfg function of the CGI handler (/cgi-bin/cstecgi.cgi). The maxRtrAdvInterval parameter is passed directly to a system command without proper sanitization, enabling classic OS command injection.
An attacker with network access to the router's web management interface can supply a crafted value for maxRtrAdvInterval that embeds shell metacharacters or commands. Because this function is accessible without authentication, exploitation requires no credentials — only reachability to the management port.
Affected Component
- Function:
setRadvdCfg - File:
/cgi-bin/cstecgi.cgi - Parameter:
maxRtrAdvInterval - Injection Type: OS command injection
- Exploit publicly available: Yes (disclosed with exploit details)
Impact
A successful exploit grants an attacker full operating system command execution with the privileges of the web server process, which on embedded routers is typically root. From this position an attacker can:
- Establish persistent backdoor access
- Exfiltrate network credentials and configuration
- Pivot to other devices on the LAN
- Enroll the device in a botnet (common fate for exploited SOHO routers)
- Modify DNS settings for MitM attacks against connected clients
Affected Versions
| Product | Firmware | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable |
No patch was available at time of publication. Check the Totolink support portal for firmware updates.
Remediation
Until a vendor patch is available, apply the following mitigations:
- Restrict management interface access — Use firewall rules to block external access to the router's HTTP/HTTPS management port (typically 80/443 or 8080).
- Disable remote management — Ensure the WAN-side management interface is disabled in the router settings.
- Network segmentation — Place the router's management interface on an isolated VLAN accessible only to trusted administrators.
- Monitor for exploitation — Look for unexpected outbound connections or unusual processes from the router's IP.
- Replace if unsupported — If Totolink does not issue a firmware fix, consider replacing the device with a supported model.