Cyber Posture

CVE-2026-6195

Critical

Published: 13 April 2026

Published
13 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument admpass leads to os command injection. The attack…

more

can be executed remotely. The exploit has been disclosed publicly and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation and sanitization of untrusted inputs like the admpass argument in the CGI handler.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through firmware updates to eliminate the specific command injection vulnerability in setPasswordCfg.

AC-3 Access Enforcement partial match
prevent

Enforces approved authorizations to block unauthenticated remote access and manipulation of the vulnerable CGI function.

Security SummaryAI

CVE-2026-6195 is an OS command injection vulnerability in the Totolink A7100RU router firmware version 7.4cu.2313_b20191024. The flaw affects the setPasswordCfg function in the /cgi-bin/cstecgi.cgi file of the CGI Handler component, where manipulation of the admpass argument enables arbitrary OS command execution.

Remote attackers require no privileges, authentication, or user interaction, and can exploit the issue over the network with low attack complexity. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability maps to CWE-77 (Command Injection) and CWE-78 (OS Command Injection).

Mitigation details appear in advisories referenced at VulDB (https://vuldb.com/vuln/357117, https://vuldb.com/vuln/357117/cti, https://vuldb.com/submit/797460) and the Totolink manufacturer site (https://www.totolink.net/). A public exploit disclosure is hosted on GitHub (https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_198/README.md), indicating it may be actively used.

The vulnerability was published on 2026-04-13, with the exploit already publicly available for potential remote attacks on affected devices.

Details

CWE(s)
CWE-77CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated remote OS command injection via public-facing router web CGI enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1059.004 (Unix Shell) for arbitrary command execution on the Linux-based router firmware.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References