Overview
A critical OS command injection vulnerability has been identified in Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. Tracked as CVE-2026-6116, the flaw resides in the setDiagnosisCfg function of the /cgi-bin/cstecgi.cgi CGI handler and carries a CVSS score of 9.8 (Critical).
Successful exploitation allows a remote, unauthenticated attacker to inject and execute arbitrary OS commands on the affected device — effectively handing over full router control.
Technical Details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-6116 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None Required |
| Affected Product | Totolink A7100RU 7.4cu.2313_b20191024 |
| Vulnerability Type | OS Command Injection (CWE-78) |
| Affected Component | /cgi-bin/cstecgi.cgi — setDiagnosisCfg function |
| Vulnerable Parameter | ip argument |
Root Cause
The setDiagnosisCfg function within the CGI handler fails to sanitize the ip parameter before passing it to an underlying OS command. An attacker can inject shell metacharacters (e.g., ;, &&, |) into the ip value to break out of the intended command context and execute arbitrary commands with the privileges of the web server process — typically root on embedded routers.
Example injection pattern:
ip=127.0.0.1;id;
This type of vulnerability is characteristic of embedded Linux routers where input validation is neglected in diagnostic or utility CGI endpoints.
Exploitation
- No authentication required — the vulnerable endpoint is accessible without credentials
- Remote exploitation — attack can be carried out over the network (LAN or WAN depending on router configuration)
- Arbitrary code execution — attacker gains shell access with the permissions of the CGI process
Exploitation of this class of vulnerability in SOHO routers is a well-established technique used by botnets (e.g., Mirai variants) to recruit devices for DDoS operations, traffic proxying, and persistent footholds.
Affected Versions
| Product | Firmware | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable |
Other firmware versions may also be affected if they share the same CGI handler codebase. Users should check Totolink's advisory for a full list.
Remediation
- Apply firmware updates immediately if Totolink releases a patched firmware version for the A7100RU.
- Disable remote management — ensure the router's admin interface is not exposed to the public internet (WAN-side access should be disabled).
- Restrict LAN access to the admin interface to trusted hosts only.
- Segment IoT/SOHO devices from critical network segments using VLANs.
- Consider replacing end-of-life hardware where vendor patches are no longer forthcoming.