CVE-2026-6114

Critical

Published: 12 April 2026

Published

12 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may…

be initiated remotely. The exploit is now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation and sanitization of the 'proto' argument in the /cgi-bin/cstecgi.cgi handler.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw in Totolink A7100RU firmware version 7.4cu.2313_b20191024 through timely patching.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on the 'proto' argument to block malicious inputs that enable command injection in the setNetworkCfg function.

Security SummaryAI

CVE-2026-6114, published on 2026-04-12, is an OS command injection vulnerability in the Totolink A7100RU router firmware version 7.4cu.2313_b20191024. The flaw affects the setNetworkCfg function in the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the proto argument enables command injection. It is classified under CWE-77 and CWE-78.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allowing remote, unauthenticated attackers to exploit it with low complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, such as arbitrary command execution on the device.

Advisories and exploit details are documented in VulDB entries (vuln/356974 and related pages) and a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md, where the public exploit is hosted. The Totolink manufacturer site is available at https://www.totolink.net/.

The exploit is now public and may be used by attackers.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE-2026-6114 is a command injection vulnerability in a public-facing router web interface (T1190), enabling remote unauthenticated arbitrary OS command execution on the network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md
cna@vuldb.com
https://vuldb.com/submit/792247
cna@vuldb.com
https://vuldb.com/vuln/356974
cna@vuldb.com
https://vuldb.com/vuln/356974/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com