CVE-2026-6028

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated…

remotely. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes CGI inputs such as the 'enable' argument to prevent OS command injection in setPptpServerCfg.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw through timely firmware patching and updates for the affected Totolink A7100RU router.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Restricts unauthenticated access to sensitive CGI handlers like /cgi-bin/cstecgi.cgi to block remote exploitation without identification or authentication.

Security SummaryAI

CVE-2026-6028 is an OS command injection vulnerability affecting the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The flaw resides in the setPptpServerCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the "enable" argument allows arbitrary command execution. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection). The vulnerability was published on 2026-04-10.

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction. Successful exploitation enables full control over the device, including high confidentiality, integrity, and availability impacts through injected OS commands.

Advisories from VulDB (vuln/356604) document the issue and note public disclosure of an exploit, with a proof-of-concept available in a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_173/README.md. Practitioners should check the vendor site at https://www.totolink.net/ for any firmware updates or mitigation guidance, as no specific patches are detailed in the provided references.

The exploit has been publicly disclosed and may be actively used, increasing the urgency for affected devices to be patched or isolated.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote unauthenticated OS command injection in a public-facing CGI interface on a router, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution on the likely Linux-based device OS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_173/README.md
cna@vuldb.com
https://vuldb.com/submit/792049
cna@vuldb.com
https://vuldb.com/vuln/356604
cna@vuldb.com
https://vuldb.com/vuln/356604/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com