# CVE-2021-46007 ## Command Injection in Totolink A3100R V5.9c.4577 by KVS * Description The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks. * Affected version Totolink A3100R V5.9c.4577 * Root Cause Analysis It seems that all special symbols are not checked * Proof-of-Concept {%youtube oKGExokqQqc %}