This critical vulnerability affects the setNetworkCfg function in the CGI handler of affected Totolink A7100RU firmware. Remote unauthenticated attackers can manipulate the proto argument in requests to /cgi-bin/cstecgi.cgi to inject and execute arbitrary OS commands. Public exploit code is available for this flaw.
Remediation
Totolink has not released an official patch to remediate this vulnerability. Organizations should limit access to the affected router's management interface to only trusted internal IP addresses. Discontinue use of the device if no patch is provided by the vendor.
Exploit info
The exploit has been released to the public; public references are available at https://app.opencve.io/cve/CVE-2026-6114 or https://vulners.com/cve/CVE-2026-6114. Potential exploit details can be searched in Exploit-DB or GitHub: https://www.exploit-db.com/search?cve=CVE-2026-6114 | https://github.com/search?q=CVE-2026-6114+exploit
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.