Cyber Posture

CVE-2026-6156

Critical

Published: 13 April 2026

Published
13 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack…

more

is possible. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection vulnerability by requiring input validation mechanisms for the untrusted Comment argument in the setIpQosRules CGI function.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Prevents unauthenticated remote exploitation by explicitly limiting permitted actions, such as setIpQosRules, without identification or authentication on the CGI handler.

SI-2 Flaw Remediation good match
prevent

Addresses the vulnerability through identification, reporting, and timely remediation of the command injection flaw via firmware updates.

Security SummaryAI

CVE-2026-6156 is an OS command injection vulnerability in the Totolink A7100RU router running firmware version 7.4cu.2313_b20191024. The flaw affects the setIpQosRules function in the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the Comment argument enables injection of arbitrary operating system commands.

Remote attackers can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and associated CWEs-77 and CWE-78. Successful exploitation allows attackers to execute arbitrary OS commands, potentially compromising confidentiality, integrity, and availability of the affected device.

Advisories provide further details at VulDB entries (https://vuldb.com/vuln/357036, https://vuldb.com/vuln/357036/cti, https://vuldb.com/submit/793681) and a GitHub repository with the disclosed exploit (https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_197/README.md). The vendor site is available at https://www.totolink.net/.

The exploit has been publicly disclosed and may be used, per the CVE description published on 2026-04-13.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

The vulnerability is an unauthenticated OS command injection in a public-facing router web CGI interface (T1190), directly enabling arbitrary command execution on the network device CLI (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References