Critical Command Injection Flaws Expose Totolink A7100RU Routers to RCE
Two newly disclosed vulnerabilities, CVE-2026-5854 and CVE-2026-5977, affect the Totolink A7100RU router running firmware 7.4cu.2313_b20191024 and allow remote command execution without authentication or user interaction. Both flaws are in the router’s CGI handler at /cgi-bin/cstecgi.cgi: CVE-2026-5854 is tied to the setWiFiEasyCfg function through the merge argument, while CVE-2026-5977 affects setWiFiBasicCfg through the wifiOff argument.
Timeline
Apr 10, 2026
Third Totolink A7100RU command injection flaw is disclosed as CVE-2026-5993
On 2026-04-10, CVE-2026-5993 was received for Totolink A7100RU firmware 7.4cu.2313_b20191024. The flaw affects the setWiFiGuestCfg function in /cgi-bin/cstecgi.cgi and allows remote OS command injection via the wifiOff argument without privileges or user interaction; public exploit information was noted.
Apr 9, 2026
Two command injection flaws in Totolink A7100RU are disclosed as CVEs
On April 9, 2026, CVE-2026-5854 and CVE-2026-5977 were recorded for Totolink A7100RU firmware 7.4cu.2313_b20191024. The flaws affect the setWiFiEasyCfg and setWiFiBasicCfg functions in /cgi-bin/cstecgi.cgi and allow remote OS command injection without privileges or user interaction; public exploit information was noted.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU and A8000RU Routers
Two high-severity vulnerabilities have been disclosed in Totolink routers that allow remote, unauthenticated OS command injection through the CGI handler in `/cgi-bin/cstecgi.cgi`. The flaws affect the **A7100RU** (`CVE-2026-5853`) running firmware `7.4cu.2313_b20191024` and the **A8000RU** (`CVE-2026-7124`) running firmware `7.1cu.643_b20200521`, with both issues tied to the `setIpv6LanCfg` function and abuse of the `addrPrefixLen` argument. The vulnerabilities are mapped to `CWE-78` and `CWE-77` and can be exploited remotely without authentication or user interaction.
6 days ago
Unauthenticated Command Injection Flaws Disclosed in Totolink A7100RU Router
Two critical vulnerabilities, **CVE-2026-5851** and **CVE-2026-5976**, were disclosed in the **Totolink A7100RU** router running firmware `7.4cu.2313_b20191024`, exposing the device to remote **OS command injection** without authentication or user interaction. Both flaws affect `/cgi-bin/cstecgi.cgi` in the router's CGI handler: CVE-2026-5851 is tied to the `setUPnPCfg` function through the `enable` argument, while CVE-2026-5976 affects the `setStorageCfg` function through the `sambaEnabled` argument. The vulnerabilities were classified under **CWE-78** and **CWE-77** and were assigned high to critical severity across CVSS versions, reflecting potential compromise of confidentiality, integrity, and availability. Public exploit information has reportedly been released, including references to **VulDB** and a **GitHub** disclosure repository, increasing the likelihood of exploitation against exposed devices that have not been updated or otherwise mitigated.
2 weeks ago
Critical Command Injection Flaws Expose Totolink A8000RU Routers to Remote RCE
Three critical vulnerabilities, **CVE-2026-7121**, **CVE-2026-7122**, and **CVE-2026-7125**, were disclosed in the **Totolink A8000RU** router running firmware `7.1cu.643_b20200521`, all affecting the `/cgi-bin/cstecgi.cgi` CGI handler. The flaws are OS command injection issues in the `setWizardCfg`, `setUPnPCfg`, and `setWiFiEasyCfg` functions, where crafted input to the `wizard`, `enable`, and `merge` arguments can trigger command execution on the device. The vulnerabilities are mapped to **CWE-78** and **CWE-77** and were rated critical across **CVSS v2**, **CVSS v3.1**, and **CVSS v4.0** scoring schemes. All three issues are remotely exploitable over the network and require **no privileges** and **no user interaction**, creating a high-risk exposure for internet-accessible devices. Public exploit information has already been disclosed, with references including VulDB entries and a GitHub proof-of-concept, increasing the likelihood of near-term exploitation. The disclosures indicate that multiple administrative configuration paths in the router's web interface can be abused for remote code execution, making unpatched A8000RU systems a priority for immediate review and remediation.
5 days ago