Cyber Posture

CVE-2026-6132

Critical

Published: 12 April 2026

Published
12 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack…

more

is possible. The exploit has been publicly disclosed and may be utilized.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents OS command injection by requiring validation of the untrusted 'enable' argument in the vulnerable setLedCfg CGI function.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Limits unauthenticated remote access to dangerous CGI functions like setLedCfg, preventing exploitation without identification and authentication.

SI-2 Flaw Remediation good match
preventrecover

Mandates timely identification, reporting, and correction of the specific command injection flaw in the Totolink router firmware.

Security SummaryAI

CVE-2026-6132 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The flaw resides in the setLedCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the 'enable' argument triggers command injection.

Remote attackers can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary OS command execution on the device. The exploit has been publicly disclosed and may be utilized.

Advisories detail the issue on VulDB at https://vuldb.com/vuln/356996 and https://vuldb.com/submit/792252, with a public exploit README available at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_183/README.md. The vendor site https://www.totolink.net/ is referenced for further information; security practitioners should consult these sources for any patch availability or mitigation steps.

The vulnerability maps to CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with public disclosure of the exploit heightening the risk of active exploitation in the wild.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Unauthenticated remote OS command injection via public-facing CGI interface on router directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References