Executive Summary
CVE-2026-6132 is a critical OS command injection vulnerability in the Totolink A7100RU router running firmware 7.4cu.2313_b20191024. The affected function is setLedCfg within the CGI handler /cgi-bin/cstecgi.cgi. Manipulation of the enable parameter allows a remote, unauthenticated attacker to inject and execute arbitrary OS commands on the router.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6132 |
| CVSS Score | 9.8 (Critical) |
| Type | OS Command Injection |
| Component | setLedCfg in /cgi-bin/cstecgi.cgi |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality / Integrity / Availability | High / High / High |
| Published | 2026-04-12 |
Affected Products
| Product | Firmware Version | Status |
|---|---|---|
| Totolink A7100RU | 7.4cu.2313_b20191024 | Vulnerable — no patch available |
Technical Details
Vulnerability Mechanism
The setLedCfg function in /cgi-bin/cstecgi.cgi is responsible for configuring the router's LED indicator behavior. It accepts an enable parameter that is expected to be a boolean or integer value. Due to missing input sanitization, shell metacharacters within the enable value are passed directly to an OS shell execution call, enabling command injection.
Proof-of-Concept Attack Pattern
POST /cgi-bin/cstecgi.cgi HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded
action=setLedCfg&enable=1;id;An attacker could substitute the injected commands with a reverse shell payload to gain persistent remote access to the device.
Root Cause
The underlying root cause is the same as other vulnerabilities in this firmware: user-supplied input is concatenated into shell command strings without sanitization. Totolink's CGI framework for this firmware appears to have no centralized input validation layer, resulting in command injection points across multiple management functions.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary command execution at CGI process privilege level (typically root) |
| Full Device Compromise | Router firmware, config, and credentials fully exposed |
| Network Reconnaissance | Attacker can enumerate and scan the internal LAN from the router |
| Botnet / DDoS | Device recruited for Mirai-style botnet attacks |
| Traffic Manipulation | DNS settings, routing tables, and firewall rules modifiable |
Recommendations
Immediate Actions
- Disable WAN-facing web management — do not expose the router's HTTP/HTTPS management port to the internet
- Apply firmware update when Totolink releases a patched version
- Restrict LAN management access to a dedicated management host or VLAN
- Monitor for signs of compromise — unexpected processes, new cron jobs, unusual network activity
- Consider device replacement if running an end-of-life firmware that Totolink will not patch
Network-Level Mitigations
- Block inbound TCP 80/443 on WAN interface at the upstream ISP router or firewall
- Use an IDS rule to alert on POST requests to /cgi-bin/cstecgi.cgi with shell metacharacters
- Segregate IoT/SOHO devices on an isolated VLAN to limit blast radiusDetection Indicators
| Indicator | Description |
|---|---|
POST to /cgi-bin/cstecgi.cgi with metacharacters in enable field | Exploitation attempt |
Unexpected process tree from cstecgi | Post-exploitation execution |
| New listening ports on the router | Backdoor or C2 listener installed |
| Outbound connections to non-ISP IPs | Possible C2 or botnet communications |
Related Vulnerabilities
This CVE is one of multiple OS command injection vulnerabilities found in the Totolink A7100RU firmware 7.4cu.2313_b20191024:
- CVE-2026-6131 — OS command injection via
setTracerouteCfg(command parameter) - CVE-2026-6138 — OS command injection via
setAccessDeviceCfg(mac parameter)
The co-discovery of these vulnerabilities across different CGI functions points to a systemic absence of input sanitization in this firmware version.