PT-2026-31593 · Totolink · Totolink A7100Ru

Ltzhuster2

Published

2026-04-09

Updated

2026-04-10

CVE-2026-5854

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024

Description A vulnerability exists in the Totolink A7100RU device that allows for remote operating system command injection. This is due to a flaw in the setWiFiEasyCfg function within the /cgi-bin/cstecgi.cgi file, part of the CGI Handler component. Manipulation of the merge argument can lead to the execution of arbitrary commands on the system. The exploit for this issue is publicly available.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /cgi-bin/cstecgi.cgi file.

Exploit

Fix

RCE

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

CVE-2026-5854

Affected Products

Totolink A7100Ru

PT-2026-31593 · Totolink · Totolink A7100Ru

CVE-2026-5854

Weakness Enumeration

Related Identifiers

Affected Products

References · 13