Critical RCE Found in Totolink A7100RU Routers

The National Vulnerability Database (NVD) has detailed a critical remote code execution (RCE) vulnerability, CVE-2026-6139, affecting Totolink A7100RU routers running firmware version 7.4cu.2313_b20191024. This isn’t just a minor glitch; we’re talking about a CVSS score of 9.8, which puts it squarely in the ‘drop everything and fix this’ category.

The flaw resides within the UploadOpenVpnCert function of the /cgi-bin/cstecgi.cgi component, specifically due to improper handling of the FileName argument. This manipulation allows for OS command injection, meaning an attacker can remotely execute arbitrary commands on the device. The NVD notes that exploit details have already been publicly disclosed, significantly increasing the immediate risk for anyone running these devices. This isn’t theoretical; it’s practically weaponized.

From a technical perspective, this is a classic case of CWE-77 and CWE-78, highlighting the dangers of insufficient neutralization of special elements used in a command and for OS command injection, respectively. It’s a stark reminder that even seemingly innocuous file upload functions can be a gaping security hole if not handled with extreme care. Given the network-facing nature of these devices, this vulnerability is a prime target for initial access.