This flaw exists in the setTtyServiceCfg function of the CGI component in affected Totolink A7100RU firmware. Remote attackers can send malicious crafted requests to the /cgi-bin/cstecgi.cgi endpoint with a manipulated ttyEnable argument to achieve arbitrary command execution. The exploit is publicly available, increasing active exploitation risk.
Remediation
There is no official vendor patch available for this vulnerability currently. Block all external access to the affected device's web interface to reduce exposure. If a patch is not released in a timely manner, replace the unsupported device with a current, secured alternative.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-6113 or https://vulners.com/cve/CVE-2026-6113. Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-6113 | https://github.com/search?q=CVE-2026-6113+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.