CVE-2026-6138

Critical

Published: 13 April 2026

Published

13 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated…

remotely. The exploit has been published and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Directly remediates the OS command injection flaw in the setAccessDeviceCfg function by applying vendor firmware updates or patches.

SI-10 Information Input Validation good match

prevent

Prevents command injection attacks by validating and sanitizing the 'mac' argument input to the vulnerable CGI handler.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Identifies the command injection vulnerability through regular scanning of the router firmware and hosted applications.

Security SummaryAI

CVE-2026-6138 is an OS command injection vulnerability affecting the Totolink A7100RU router on firmware version 7.4cu.2313_b20191024. The issue lies in the setAccessDeviceCfg function of the /cgi-bin/cstecgi.cgi file within the CGI Handler component, where manipulation of the 'mac' argument triggers command injection. Published on 2026-04-13, it is associated with CWE-77 and CWE-78.

The vulnerability enables remote exploitation by unauthenticated attackers requiring low complexity and no user interaction, per its CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can execute arbitrary OS commands on the device, achieving high impacts on confidentiality, integrity, and availability, potentially leading to full router compromise.

Advisories and references, including a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_191/README.md publishing the exploit, VULDB entries at https://vuldb.com/vuln/357002 and related pages, and the Totolink vendor site at https://www.totolink.net/, provide further details. Practitioners should review these for mitigation guidance, such as firmware updates if available from the vendor.

The exploit has been publicly released and may be used, heightening the risk of real-world attacks on unpatched devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

OS command injection in public-facing router CGI enables remote exploitation of public-facing application (T1190) and facilitates arbitrary OS command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_191/README.md
cna@vuldb.com
https://vuldb.com/submit/792980
cna@vuldb.com
https://vuldb.com/vuln/357002
cna@vuldb.com
https://vuldb.com/vuln/357002/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com