CVE-2026-6115

Critical

Published: 12 April 2026

Published

12 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack may be…

launched remotely. The exploit has been published and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by requiring validation and sanitization of inputs like the 'enable' argument to the vulnerable setAppCfg CGI function.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in Totolink A7100RU firmware through timely risk-based remediation such as patching.

AC-3 Access Enforcement good match

prevent

Enforces logical access authorizations to block unauthenticated remote access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-6115 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue exists in the setAppCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the "enable" argument enables attackers to inject and execute arbitrary operating system commands.

The vulnerability is exploitable remotely by unauthenticated attackers requiring no privileges, low complexity, and no user interaction, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially granting full control over the affected device.

Advisories from VulDB detail the remote exploitability and reference a published proof-of-concept on GitHub. Practitioners should consult the Totolink website and VulDB entries for any firmware updates or mitigation guidance, as an exploit is publicly available.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote exploitation of a public-facing web CGI application (T1190) to inject and execute arbitrary OS commands on the network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_180/README.md
cna@vuldb.com
https://vuldb.com/submit/792248
cna@vuldb.com
https://vuldb.com/vuln/356975
cna@vuldb.com
https://vuldb.com/vuln/356975/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com