CVE-2026-6132

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024

Description A remote OS command injection exists in the CGI Handler component. This issue occurs in the setLedCfg() function of the '/cgi-bin/cstecgi.cgi' endpoint, where improper validation of the enable parameter allows unauthenticated attackers to execute arbitrary operating system commands. OS command injection is a vulnerability that allows an attacker to execute system-level commands on the host machine.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Isolate affected devices from internet exposure. Monitor for suspicious CGI requests to '/cgi-bin/cstecgi.cgi'. Implement network segmentation for IoT devices. Review logs for exploitation attempts targeting the enable parameter. Restrict access to the setLedCfg() function.