Critical RCE Found in Totolink A7100RU Routers

Shimi’s Cyber World is flagging a critical vulnerability, CVE-2026-6140, impacting the Totolink A7100RU router, specifically firmware version 7.4cu.2313_b20191024. According to the National Vulnerability Database, this flaw resides within the UploadFirmwareFile function of the /cgi-bin/cstecgi.cgi component, a common target for unsavory activity.

The vulnerability, an OS command injection, is triggered by manipulating the FileName argument. This isn’t some niche local exploit; it’s remotely exploitable, meaning attackers can leverage it from anywhere on the internet. With a CVSS score of 9.8, this is firmly in ‘drop everything’ territory. The National Vulnerability Database also reports that an exploit for this has already been made public, significantly increasing the immediate threat level. This isn’t a theoretical risk; it’s a live one.

Attackers can achieve full remote code execution, effectively owning the device. For home users, this means a compromised network gateway. For small businesses, it’s a wide-open door. The associated CWEs, CWE-77 and CWE-78, point to improper neutralization of special elements in commands, a classic and often devastating vulnerability class. It’s a stark reminder that even seemingly innocuous network devices can harbor critical flaws.