Overview
CVE-2026-6113 is a critical OS command injection vulnerability affecting the Totolink A7100RU router running firmware 7.4cu.2313_b20191024. The vulnerability is located in the setTtyServiceCfg function of the /cgi-bin/cstecgi.cgi CGI handler. Remote, unauthenticated attackers can exploit it via the ttyEnable parameter.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-6113 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None required |
| Published | 2026-04-12 |
| Affected Product | Totolink A7100RU 7.4cu.2313_b20191024 |
Vulnerability Details
The setTtyServiceCfg function manages TTY (serial terminal) service configuration on the device. The ttyEnable parameter controlling whether this service is enabled or disabled is passed to a shell command without input validation, allowing injection of arbitrary OS commands.
Because the CGI endpoint handling this function does not enforce authentication, any attacker able to reach the management interface can send a crafted HTTP request to achieve remote code execution.
Affected Component
- Function:
setTtyServiceCfg - File:
/cgi-bin/cstecgi.cgi - Parameter:
ttyEnable - Injection Type: OS command injection
- Exploit publicly available: Yes
Impact
Successful exploitation yields OS-level command execution, typically as root on affected SOHO routers. The attacker can:
- Obtain a reverse shell or persistent backdoor
- Capture Wi-Fi passwords and network configurations
- Intercept or redirect traffic from connected clients
- Use the device as a bot node for DDoS or proxy abuse
- Brick the device via firmware flash or destructive commands
This vulnerability is part of a cluster of similar flaws (CVE-2026-6112, CVE-2026-6114, CVE-2026-6115) affecting the same firmware, suggesting systemic lack of input validation throughout the CGI handler.
Affected Versions
| Product | Firmware | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable |
Remediation
No vendor patch was available at time of disclosure. Recommended mitigations:
- Block management port access from untrusted networks — Firewall or ACL-restrict port 80/443 to LAN-only.
- Disable WAN-facing management — Verify remote management is turned off in router settings.
- Audit connected devices — Check for unexpected outbound connections originating from the router.
- Apply network segmentation — Restrict which subnets can reach the management interface.
- Plan hardware replacement — Devices without vendor support pose ongoing risk; evaluate replacement timelines.
References
- NVD Entry — CVE-2026-6113
- Related: CVE-2026-6112 — setRadvdCfg injection
- Related: CVE-2026-6114 — setNetworkCfg injection
- Related: CVE-2026-6115 — setAppCfg injection