This critical vulnerability affects the setRadvdCfg function in the CGI handler of Totolink A7100RU router firmware. Unauthenticated remote attackers can manipulate the maxRtrAdvInterval argument to inject arbitrary operating system commands. Public exploit code has been released, making this vulnerability easy to abuse by threat actors.
Remediation
No official patch has been released by Totolink for this vulnerability at this time. Administrators should restrict access to the router's web management interface from untrusted public networks. Consider replacing the affected device with a supported alternative if no patch is released.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-6112 or https://vulners.com/cve/CVE-2026-6112. Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-6112 | https://github.com/search?q=CVE-2026-6112+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.