CVE-2026-6155

Critical

Published: 13 April 2026

Published

13 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0125 79.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument pppoeServiceName can lead to os command injection. The attack…

may be launched remotely. The exploit has been made available to the public and could be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents OS command injection by validating and sanitizing the pppoeServiceName input argument in the setWanCfg CGI function.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw in the Totolink A7100RU firmware through timely identification, reporting, and patching.

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization requirements to block unauthenticated remote access to the vulnerable CGI handler endpoint.

Security SummaryAI

CVE-2026-6155 is an OS command injection vulnerability affecting the Totolink A7100RU router running firmware version 7.4cu.2313. The flaw resides in the setWanCfg function within the /cgi-bin/cstecgi.cgi file of the CGI handler component, where manipulation of the pppoeServiceName argument enables command injection. It has been assigned CWE-77 and CWE-78, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.

The vulnerability is exploitable remotely by unauthenticated attackers with network access to the device. Successful exploitation allows arbitrary OS command execution, potentially granting full control over the router, including data exfiltration, modification of configurations, or disruption of services. A public exploit is available, increasing the risk of widespread attacks against exposed Totolink A7100RU devices.

Advisories from VulDB (vuln/357035) and a related GitHub repository detail the vulnerability and proof-of-concept exploit. Security practitioners should consult the Totolink manufacturer website (totolink.net) and VulDB references for any firmware updates or mitigation guidance, as no specific patches are detailed in the available information.

Details

CWE(s): CWE-77 CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection in a public-facing CGI endpoint on a router, enabling unauthenticated remote exploitation for arbitrary Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_196/README.md
cna@vuldb.com
https://vuldb.com/submit/793679
cna@vuldb.com
https://vuldb.com/vuln/357035
cna@vuldb.com
https://vuldb.com/vuln/357035/cti
cna@vuldb.com
https://www.totolink.net/
cna@vuldb.com