CVE-2026-6025

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack…

remotely. The exploit is publicly available and might be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation of the untrusted 'enable' argument in the vulnerable CGI handler.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through firmware patching to eliminate the command injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Facilitates identification of the CVE-2026-6025 vulnerability via regular scanning of the affected router firmware.

Security SummaryAI

CVE-2026-6025 is an OS command injection vulnerability affecting the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue resides in the setSyslogCfg function within the /cgi-bin/cstecgi.cgi file of the CGI handler component, where improper handling of the 'enable' argument allows attackers to inject arbitrary operating system commands. Classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-10.

The vulnerability enables remote exploitation without authentication, privileges, or user interaction, requiring only network access to the affected device. Successful attacks allow attackers to execute arbitrary OS commands, potentially leading to full compromise of the router with high impacts on confidentiality, integrity, and availability, such as data theft, persistent access, or device disruption.

Advisories and references, including VulDB entries (vuln/356601) and a GitHub repository detailing the exploit, confirm the issue and provide proof-of-concept code. The Totolink vendor website is referenced for potential firmware updates or mitigation guidance, though specific patch details are not outlined in the primary description. Security practitioners should review these sources for remediation steps.

Notably, a public exploit is available, increasing the risk of real-world abuse against unpatched Totolink A7100RU devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated OS command injection via public-facing web CGI interface directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_170/README.md
cna@vuldb.com
https://vuldb.com/submit/792046
cna@vuldb.com
https://vuldb.com/vuln/356601
cna@vuldb.com
https://vuldb.com/vuln/356601/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com