Cyber Posture

CVE-2026-6027

Critical

Published: 10 April 2026

Published
10 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can…

more

be launched remotely. The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by validating the 'enable' argument in the setUrlFilterRules CGI function.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in the Totolink A7100RU firmware's CGI handler through timely patching.

AC-3 Access Enforcement good match
prevent

Enforces authentication and authorization requirements for the vulnerable /cgi-bin/cstecgi.cgi endpoint to block unauthenticated remote access.

Security SummaryAI

CVE-2026-6027 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The flaw exists in the setUrlFilterRules function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "enable" argument enables attackers to inject and execute operating system commands.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it critically severe due to its network accessibility, low complexity, and lack of required privileges or user interaction. Remote, unauthenticated attackers can exploit it to run arbitrary commands on the device, potentially achieving full compromise with high impacts to confidentiality, integrity, and availability.

Advisories on VulDB (vuln/356603) and a related GitHub repository detail the issue, while the Totolink vendor site (totolink.net) may offer guidance. An exploit is publicly available, heightening the potential for real-world attacks.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of a public-facing web application (router CGI) for unauthenticated remote command injection on a network device CLI.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References