CVE-2026-6116

Critical

Published: 12 April 2026

Published

12 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack…

is possible. The exploit has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates OS command injection by requiring validation of the untrusted 'ip' argument in the setDiagnosisCfg CGI function to prevent arbitrary command execution.

SI-2 Flaw Remediation good match

prevent

Addresses the root cause by establishing processes for timely flaw remediation, including applying firmware patches to eliminate the command injection vulnerability.

SC-7 Boundary Protection partial match

prevent

Prevents remote exploitation over the network by enforcing boundary protection to restrict unauthorized access to the vulnerable /cgi-bin/cstecgi.cgi endpoint.

Security SummaryAI

CVE-2026-6116 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue resides in the setDiagnosisCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the "ip" argument enables arbitrary command execution. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

The vulnerability allows remote attackers to exploit it over the network without authentication, user interaction, or privileges. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially enabling full router compromise, such as executing arbitrary system commands, data exfiltration, or persistent backdoor installation.

Advisories from VulDB (vuln/356976) and a related GitHub repository detail the vulnerability and provide a publicly disclosed exploit in the form of a README at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_181/README.md. No specific patches are mentioned in the available references, though the vendor site at https://www.totolink.net/ is listed for potential updates.

The exploit has been publicly disclosed and may be actively used, increasing the risk for unpatched Totolink A7100RU devices exposed to the internet.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated OS command injection via web CGI interface on public-facing router enables T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_181/README.md
cna@vuldb.com
https://vuldb.com/submit/792249
cna@vuldb.com
https://vuldb.com/vuln/356976
cna@vuldb.com
https://vuldb.com/vuln/356976/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com