Totolink A7000R vulnerabilities

CVE-2026-6168 [HIGH] CWE-119 CVE-2026-6168: A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115. The affected element is the function set A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115. The affected element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid5g causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.

CVE-2026-1601 [MEDIUM] CWE-74 CVE-2026-1601: A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function s A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

CVE-2026-1623 [MEDIUM] CWE-74 CVE-2026-1623: A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVE-2026-1548 [MEDIUM] CWE-74 CVE-2026-1548: A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUs A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit has been published and may be used.

CVE-2026-1547 [MEDIUM] CWE-74 CVE-2026-1547: A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserD A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.

CVE-2024-7212 [HIGH] CWE-120 CVE-2024-7212: A vulnerability, which was classified as critical, has been found in TOTOLINK A7000R 9.1.0u.6268_B20 A vulnerability, which was classified as critical, has been found in TOTOLINK A7000R 9.1.0u.6268_B20220504. This issue affects the function loginauth of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument password leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The

CVE-2024-7213 [HIGH] CWE-120 CVE-2024-7213: A vulnerability, which was classified as critical, was found in TOTOLINK A7000R 9.1.0u.6268_B2022050 A vulnerability, which was classified as critical, was found in TOTOLINK A7000R 9.1.0u.6268_B20220504. Affected is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The iden