CVE-2026-6112

Critical

Published: 12 April 2026

Published

12 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The…

exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection vulnerability in the setRadvdCfg function by requiring timely identification, reporting, and correction of the specific flaw.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the command injection by validating the maxRtrAdvInterval argument in the CGI handler to block malicious input.

RA-5 Vulnerability Monitoring and Scanning good match

detectrespond

Detects the CVE-2026-6112 vulnerability through regular scanning of the Totolink router firmware and drives remediation to patch the exposed flaw.

Security SummaryAI

CVE-2026-6112 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue lies in the setRadvdCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the maxRtrAdvInterval argument triggers command injection. Published on 2026-04-12, it is associated with CWE-77 and CWE-78 and carries a CVSS v3.1 base score of 9.8.

The vulnerability enables remote exploitation without authentication, privileges, or user interaction (AV:N/AC:L/PR:N/UI:N/S:U), allowing attackers to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful attacks permit arbitrary OS command execution on the device.

Advisories detail the flaw on VulDB (vuln/356972 and related pages) and provide a public exploit in a GitHub repository (Litengzheng/vuldb_new). The Totolink website (totolink.net) is referenced for further information, though specific patches are not detailed in the disclosure.

The exploit is publicly available and could be used for attacks, heightening risk for unpatched Totolink A7100RU devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection via public-facing CGI on router directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix Shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_177/README.md
cna@vuldb.com
https://vuldb.com/submit/792245
cna@vuldb.com
https://vuldb.com/vuln/356972
cna@vuldb.com
https://vuldb.com/vuln/356972/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com