CVE-2026-6139

Critical

Published: 13 April 2026

Published

13 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely.…

The exploit has been disclosed to the public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection flaw in the UploadOpenVpnCert function through firmware patching.

SI-10 Information Input Validation good match

prevent

Validates the manipulated FileName argument to prevent injection of arbitrary OS commands via the CGI handler.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization prior to access of the vulnerable /cgi-bin/cstecgi.cgi endpoint, blocking unauthenticated remote exploitation.

Security SummaryAI

CVE-2026-6139 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The issue resides in the UploadOpenVpnCert function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the FileName argument enables arbitrary command execution. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited remotely by unauthenticated attackers over the network. By crafting a malicious request to the affected endpoint with a specially manipulated FileName argument, an attacker can inject and execute arbitrary operating system commands on the router's underlying system. Successful exploitation grants full control over the device, potentially allowing data exfiltration, further network pivoting, or persistent access.

Advisories referenced in VULDB entries (vuldb.com/vuln/357003 and related pages) detail the vulnerability and public exploit disclosure, while the vendor's site (totolink.net) should be consulted for any firmware updates or patches. A GitHub repository (github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_192/README.md) contains exploit code, confirming active public availability. No specific mitigation steps beyond patching are outlined in the provided details.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE-2026-6139 is a command injection vulnerability in a public-facing router web CGI interface (T1190: Exploit Public-Facing Application), enabling remote unauthenticated arbitrary OS command execution on the underlying Unix/Linux system (T1059.004: Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_192/README.md
cna@vuldb.com
https://vuldb.com/submit/792982
cna@vuldb.com
https://vuldb.com/vuln/357003
cna@vuldb.com
https://vuldb.com/vuln/357003/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com