CVE-2026-6154

Critical

Published: 13 April 2026

Published

13 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wizard results in os command injection. The attack…

may be initiated remotely. The exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the OS command injection flaw by identifying, prioritizing, and applying firmware patches or updates to remediate the vulnerability in the setWizardCfg function.

SI-10 Information Input Validation good match

prevent

Prevents command injection attacks by validating and sanitizing the untrusted 'wizard' argument before it is processed by the CGI handler.

SC-7 Boundary Protection partial match

prevent

Mitigates remote exploitation by enforcing boundary protections, such as firewalls, to restrict network access to the vulnerable /cgi-bin/cstecgi.cgi endpoint on the router.

Security SummaryAI

CVE-2026-6154 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The flaw resides in the setWizardCfg function within the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the "wizard" argument enables arbitrary command execution. Associated with CWE-77 (Command Injection) and CWE-78 (OS Command Injection), it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

The vulnerability is exploitable remotely over the network by unauthenticated attackers with no privileges required, low attack complexity, and no user interaction needed. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing attackers to execute arbitrary operating system commands on the affected device, potentially leading to full router compromise, data theft, or further network pivoting.

Advisories from VulDB detail the issue and reference a publicly available exploit in a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_194/README.md, which may facilitate attacks. The vendor's site at https://www.totolink.net/ is listed, though no specific patch or mitigation details are provided in the available references; security practitioners should check for firmware updates directly.

Notable context includes the public release of an exploit, increasing the risk of real-world attacks against unpatched Totolink A7100RU devices.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

The vulnerability is a remotely exploitable OS command injection in a public-facing CGI interface on a router, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059.008 (Network Device CLI) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_194/README.md
cna@vuldb.com
https://vuldb.com/submit/792990
cna@vuldb.com
https://vuldb.com/vuln/357034
cna@vuldb.com
https://vuldb.com/vuln/357034/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com