Overview
CVE-2026-6114 is a critical-severity OS command injection vulnerability in the Totolink A7100RU router (firmware 7.4cu.2313_b20191024). The flaw is found in the setNetworkCfg function within the /cgi-bin/cstecgi.cgi CGI handler. The proto parameter is not sanitized before being used in a shell command, allowing unauthenticated remote code execution.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-6114 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None required |
| Published | 2026-04-12 |
| Affected Product | Totolink A7100RU 7.4cu.2313_b20191024 |
Vulnerability Details
The setNetworkCfg function handles network protocol configuration on the router. The proto parameter — intended to specify a network protocol type — is passed unsanitized to a system command. By injecting shell metacharacters into this parameter, a remote attacker achieves arbitrary OS command execution.
No authentication is required to reach this endpoint, making exploitation trivial for any attacker with HTTP access to the router.
Affected Component
- Function:
setNetworkCfg - File:
/cgi-bin/cstecgi.cgi - Parameter:
proto - Injection Type: OS command injection
- Exploit publicly available: Yes
Context: Systemic CGI Handler Flaws
CVE-2026-6114 is one of four simultaneous OS command injection CVEs disclosed for this firmware version, all in different setXxxCfg functions within the same CGI handler:
| CVE | Function | Parameter |
|---|---|---|
| CVE-2026-6112 | setRadvdCfg | maxRtrAdvInterval |
| CVE-2026-6113 | setTtyServiceCfg | ttyEnable |
| CVE-2026-6114 | setNetworkCfg | proto |
| CVE-2026-6115 | setAppCfg | enable |
This pattern strongly indicates a systemic failure to validate user-supplied input throughout the CGI handler, rather than isolated coding errors.
Impact
An unauthenticated attacker can achieve root-level command execution, enabling:
- Complete device compromise and persistent backdoor installation
- Theft of stored network credentials (WPA keys, PPPoE passwords)
- Traffic interception and DNS manipulation against LAN clients
- Botnet enrollment — Totolink routers have historically been targeted by Mirai variants
Affected Versions
| Product | Firmware | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable |
Remediation
Vendor patch status was unconfirmed at publication. Apply these mitigations immediately:
- Isolate the management interface — Do not expose router management to untrusted networks or the public internet.
- Enable firewall rules — Block inbound connections to port 80/443 from non-LAN sources.
- Review router logs — Check for anomalous CGI requests targeting
/cgi-bin/cstecgi.cgi. - Disable unused services — Reduce the attack surface by disabling services like remote management.
- Replace unsupported hardware — Given the number of simultaneous CVEs, firmware quality is suspect; evaluate replacement with a supported device.
References
- NVD Entry — CVE-2026-6114
- Related: CVE-2026-6112 — setRadvdCfg injection
- Related: CVE-2026-6113 — setTtyServiceCfg injection
- Related: CVE-2026-6115 — setAppCfg injection