Critical RCE Found in Totolink A7100RU Routers

The National Vulnerability Database has flagged a critical OS command injection vulnerability, identified as CVE-2026-6155, affecting Totolink A7100RU routers running firmware version 7.4cu.2313. This isn’t just a run-of-the-mill bug; it’s a 9.8 CVSS score, which means it’s about as bad as it gets.

The flaw resides within the setWanCfg function of the /cgi-bin/cstecgi.cgi file, specifically within the CGI Handler component. An attacker can manipulate the pppoeServiceName argument to inject OS commands. What makes this particularly nasty is that the attack can be launched remotely, and the exploit code is already public. This isn’t some theoretical scenario; it’s a live fire opportunity for threat actors looking to compromise network edge devices.

Command injection vulnerabilities like this are a goldmine for attackers, allowing them to execute arbitrary commands on the underlying operating system. For a router, this means potential full control: sniffing traffic, reconfiguring network settings, or even establishing a foothold for further internal network traversal. It’s a prime example of why proper input sanitization is non-negotiable in web-facing components.