CVE-2026-6114 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 13, 2026
Totolink A7100RU - Command Injection
Overview
Totolink A7100RU 7.4cu.2313_b20191024 contains a command injection caused by manipulation of the "proto" argument in /cgi-bin/cstecgi.cgi setNetworkCfg function, letting remote attackers execute arbitrary OS commands, exploit requires no special privileges.
Severity & Score
Impact
Remote attackers can execute arbitrary OS commands, potentially taking full control of the device.
Mitigation
Update to the latest version or apply vendor patches addressing this issue.
References
Social Media Activity(2 posts)
š“ CVE-2026-6114 - Critical (9.8) A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in o... š https://www.thehackerwire.com/vulnerability/CVE-2026-6114/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
Totolink A7100RU (7.4cu.2313_b20191024) faces a CRITICAL OS command injection (CVE-2026-6114, CVSS 9.3). Remote, unauthenticated code execution possible. No patch yet ā disable remote mgmt & watch for updates. https://radar.offseq.com/threat/cve-2026-6114-os-command-injection-in-totolink-a71-384165a1 #OffSeq #CVE20266114 #Vuln #RouterSecurity
View original postRelated Resources
Details
- CVE ID
- CVE-2026-6114
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- unconfirmed
- EPSS
- 89.2%
- Social Posts
- 2
CWE
- CWE-77
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H