Skip to main content
CVE Vulnerability Database

CVE-2026-6112: Totolink A7100RU RCE Vulnerability

CVE-2026-6112 is a remote code execution vulnerability in Totolink A7100RU router firmware affecting the setRadvdCfg function. Attackers can exploit this flaw to execute arbitrary OS commands remotely through command injection.

Updated:

CVE-2026-6112 Overview

CVE-2026-6112 is an operating system (OS) command injection vulnerability affecting the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The flaw resides in the setRadvdCfg function within the /cgi-bin/cstecgi.cgi CGI Handler component. Attackers can manipulate the maxRtrAdvInterval argument to inject arbitrary operating system commands. The vulnerability is exploitable remotely without authentication or user interaction. Public exploit code is available, increasing the likelihood of opportunistic attacks against exposed devices. The issue is tracked under CWE-77: Improper Neutralization of Special Elements used in a Command.

Critical Impact

Unauthenticated remote attackers can execute arbitrary commands on affected Totolink A7100RU routers, gaining full control over the device and the network segments it serves.

Affected Products

  • Totolink A7100RU router
  • Firmware version 7.4cu.2313_b20191024
  • /cgi-bin/cstecgi.cgi CGI Handler component

Discovery Timeline

  • 2026-04-12 - CVE-2026-6112 published to the National Vulnerability Database (NVD)
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-6112

Vulnerability Analysis

The vulnerability resides in the setRadvdCfg function of /cgi-bin/cstecgi.cgi, the unified CGI binary that handles configuration endpoints on the Totolink A7100RU router. The setRadvdCfg handler configures the Router Advertisement Daemon (radvd), which broadcasts IPv6 network parameters. The handler accepts a maxRtrAdvInterval parameter that controls the maximum advertisement interval. The router passes this value into a shell command without proper sanitization or argument escaping. Attackers can append shell metacharacters such as semicolons, backticks, or command substitution sequences to inject arbitrary OS commands. Successful exploitation grants attackers the same privileges as the web server process, which typically runs as root on consumer routers.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-77]. The setRadvdCfg handler concatenates the untrusted maxRtrAdvInterval value directly into a shell command string. The handler lacks input validation, allowlist enforcement, and argument quoting before invoking the system shell.

Attack Vector

The attack vector is fully remote and unauthenticated. An attacker sends a crafted HTTP POST request to /cgi-bin/cstecgi.cgi with a malicious maxRtrAdvInterval value. The Exploit Prediction Scoring System (EPSS) score is 1.221% with a percentile of 79.253, indicating elevated exploitation likelihood relative to most published CVEs. A public proof-of-concept is hosted at the GitHub PoC Repository.

No verified code examples are available. The vulnerability mechanism involves shell metacharacter injection through the maxRtrAdvInterval POST parameter handled by setRadvdCfg. See the VulDB #356972 entry for additional technical context.

Detection Methods for CVE-2026-6112

Indicators of Compromise

  • Unexpected HTTP POST requests to /cgi-bin/cstecgi.cgi containing the setRadvdCfg topicurl or function reference.
  • Shell metacharacters such as ;, |, `, $(, or && appearing in the maxRtrAdvInterval parameter value.
  • Outbound connections from the router to unknown hosts, particularly to download secondary payloads or establish reverse shells.
  • Unauthorized changes to router configuration, DNS settings, or firmware integrity.

Detection Strategies

  • Inspect web server and CGI access logs for POST requests to /cgi-bin/cstecgi.cgi referencing setRadvdCfg from external or unexpected source addresses.
  • Deploy network intrusion detection signatures that flag shell metacharacter patterns within HTTP request bodies destined for the router management interface.
  • Correlate router authentication events with subsequent configuration changes to identify exploitation that bypasses login.

Monitoring Recommendations

  • Forward router syslog and HTTP access logs to a central security information and event management (SIEM) platform for retention and analysis.
  • Monitor for new processes or persistent cron entries on routers that support administrative shell access.
  • Alert on inbound traffic to router management interfaces from the public internet, which should not be reachable in standard deployments.

How to Mitigate CVE-2026-6112

Immediate Actions Required

  • Restrict access to the router web management interface to trusted internal addresses only and disable WAN-side administration.
  • Place affected Totolink A7100RU devices behind a network firewall that blocks unsolicited inbound traffic to /cgi-bin/cstecgi.cgi.
  • Audit router configuration, DNS settings, and administrative credentials for signs of tampering and reset them if compromise is suspected.
  • Consider replacing affected devices if no vendor patch becomes available, given the unauthenticated remote code execution exposure.

Patch Information

At the time of publication, no official vendor patch has been referenced in the NVD entry for firmware 7.4cu.2313_b20191024. Administrators should consult Totolink Security Resources for firmware updates and security advisories addressing this issue.

Workarounds

  • Disable IPv6 Router Advertisement configuration features in the web interface if the deployment does not require them.
  • Enforce strong administrative credentials and disable remote management to reduce the attack surface even though the flaw is pre-authentication.
  • Segment vulnerable routers onto isolated management VLANs and apply access control lists that drop traffic to the CGI endpoint from untrusted sources.
bash
# Example firewall rule to block external access to the vulnerable CGI endpoint
iptables -A INPUT -p tcp --dport 80 -m string \
  --string "/cgi-bin/cstecgi.cgi" --algo bm -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.