CVE-2026-6113

Critical

Published: 12 April 2026

Published

12 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTtyServiceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument ttyEnable leads to os command injection. The attack…

can be launched remotely. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation and sanitization of the ttyEnable argument in the vulnerable setTtyServiceCfg CGI function.

SI-2 Flaw Remediation good match

prevent

Addresses the specific command injection flaw in Totolink A7100RU firmware version 7.4cu.2313_b20191024 through timely flaw remediation and patching.

SC-7 Boundary Protection good match

prevent

Monitors and controls remote network access to the vulnerable /cgi-bin/cstecgi.cgi endpoint, blocking unauthenticated exploitation attempts.

Security SummaryAI

CVE-2026-6113 is an OS command injection vulnerability in the Totolink A7100RU router firmware version 7.4cu.2313_b20191024. The flaw affects the setTtyServiceCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the ttyEnable argument enables command injection. Published on 2026-04-12, it is associated with CWE-77 and CWE-78, earning a CVSS v3.1 base score of 9.8.

Unauthenticated remote attackers can exploit this vulnerability with low complexity and no user interaction required (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting malicious requests to the vulnerable endpoint, attackers can execute arbitrary operating system commands on the device, potentially achieving full control and high impacts on confidentiality, integrity, and availability.

VulDB advisories (vuldb.com/vuln/356973 and related pages) document the issue and its CTI context, while a GitHub repository (github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_178/README.md) discloses a public exploit that may be used. The vendor site (totolink.net) is referenced, but no specific patches or mitigations are detailed in the provided information.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection via public-facing CGI endpoint on router enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_178/README.md
cna@vuldb.com
https://vuldb.com/submit/792246
cna@vuldb.com
https://vuldb.com/vuln/356973
cna@vuldb.com
https://vuldb.com/vuln/356973/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com