CVE-2026-4611

High

Published: 23 March 2026

Published

23 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0159 81.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360_B20241207/9.4.0cu.1498_B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation and sanitization of untrusted inputs like the Hostname argument to the setLanCfg function.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in the shttpd component by requiring timely identification, reporting, and correction of vulnerabilities like CVE-2026-4611 through patching.

AC-6 Least Privilege partial match

prevent

Limits the impact of successful command injection by enforcing least privilege, reducing the privileges available to high-privilege (PR:H) attackers exploiting the vulnerability.

Security SummaryAI

CVE-2026-4611 is an OS command injection vulnerability affecting the TOTOLINK X6000R router running firmware versions 9.4.0cu.1360_B20241207 and 9.4.0cu.1498_B20250826. The flaw resides in the setLanCfg function within the /usr/sbin/shttpd component, where manipulation of the Hostname argument enables arbitrary command execution. This issue corresponds to CWE-77 (Command Injection) and CWE-78 (OS Command Injection) and has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A remote attacker with high privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise, such as executing arbitrary commands on the underlying operating system.

Advisories detailing the vulnerability are available from VulDB at https://vuldb.com/?ctiid.352475, https://vuldb.com/?id.352475, and https://vuldb.com/?submit.775642, along with the vendor site at https://www.totolink.net/. Specific mitigation or patch information should be consulted from these sources.

Details

CWE(s): CWE-77 CWE-78

Affected Products

totolink

x6000r firmware

9.4.0cu.1360_b20241207, 9.4.0cu.1498_b20250826

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is an OS command injection in a public-facing router web interface (/usr/sbin/shttpd setLanCfg), enabling exploitation of a public-facing application (T1190) to achieve arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://vuldb.com/?ctiid.352475
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.352475
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.775642
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.totolink.net/
Product · cna@vuldb.com